How do I use Group Policy to restrict a Security Group to only be able to log onto computers in a particular OU?

Kindly review my post in its entirety before answering.

I’m running Active Directory on a Win2003 server that is our internal DC. At the current moment, any domain user can log onto any client pc that was previously joined to our domain.

For clarification, none of my users have Roaming Profiles, nor do these users log in "locally" to any client; they can only log in using their domain account. Moreover, I am familiar with the "LOG ON TO" setting on the user account, but I was hoping there was a way to manage this via Group Policy for the entire OU.

With that said, I now want to restrict a particular group of users to a particular group of computers.
--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.

Using Group Policy, I now wish to restrict users in the "1st_floor" security group from logging into computers located in the "floor_2" and "floor_3" OU.

Is this possible and, if so, how do I accomplish this?
Thank you in advance for your insight.
Who is Participating?
JamesDSConnect With a Mentor Commented:

I take it then that this did not solve your problem:

You need to set the logon locally security right - which as you know is done with group policy on the machine policy node.
Windows Settings\Security Settings\Local Policies\User rights assignment - Allow log on locally

This setting can only be set with the machine policy so your OUs only need to contain workstation accounts as users in these OUs will be neatly ignored.

The rest of the work is done with security groups.

Lets call our department "Sales"
So, you should have a departmental OU called "Sales" containing a bunch of workstation accounts and a GPO with the above setting assigned to a local or domain local security group called "Sales Users" and at least the administrators group, for obvious reasons!.

Adding user accounts to the group "Sales" will allow them access to the machines controlled by that GPO.

To expand this to all departments you create a new GPO and corresponding group for each departmental OU and assign all your users to one or other are they will not be able to log on anywhere (which is not a bad thing in the security world!).

I actually do this here, it works fine and is not complex


FunkMasterWebAuthor Commented:

I'm not related to other question, just had similar question and the wording fit.

I will try your solution in the next day or so. If it works, I will accept your answer.

By the way, how long do I have to accept an answer? Will this website ever close an open question and/or award points without my interaction?

FunkMasterWebAuthor Commented:
By the way, since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS?  I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

yes.... 21 days of no comments is the standard but... no one is there to stare every question down to find out when.
I would guess a good month or two is safe.  I regular post of two will be made for comments from all parties before closing the question.
see this example if you wish

note that the example question is a year old and just being "cleaned"

Why not just use the GPO to disable user's access to the Display panel. Saves me loads of trouble!
Here's Ms word on it and how : doc/tre_nt/Module%204%20-%20Group%20Policy%20in%20Windows%20Server%202003.ppt
FunkMasterWebAuthor Commented:
WHAT90 -- can't read your URL.
KABAAM -- are you the same person as JamesDS?

Since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS?  I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.

Firstly, I am not Kabaam - I wish I had his patience.

Secondly the solution I posted does fix your problem as I do the exact thing here

Lastly, I believe you have already posted your "fisher price" question elsewhere


What is your goal here?  Something does not look right.  As James pointed out above, this the exact same question as posted by CrimeScene, now you are posting an exact copy of another open question in the topic area.  
It appears to me that you are reasking questions to get the answers to post in the original question.  
I am confused by your motives here.
FunkMasterWebAuthor Commented:
KABAAM -- not sure who you are or why you're posting non-answers to my post. But thanks for clarifying my off-topic question.

AndyITsupport -- I don't know what you're talking about, as I only have one account. I do, however, browse for anwsers and often copy other people's wording if it suits me. Don't I have the right to do that?

JamesDS -- thanks for your solution.
FunkMasterWebAuthor Commented:
Also, my "fisher price" questions appears twice within this very same question/post. So, in fact, you did see it twice. Am I not allowed to repeat a question within the same post either?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.