FunkMasterWeb
asked on
How do I use Group Policy to restrict a Security Group to only be able to log onto computers in a particular OU?
Kindly review my post in its entirety before answering.
I’m running Active Directory on a Win2003 server that is our internal DC. At the current moment, any domain user can log onto any client pc that was previously joined to our domain.
For clarification, none of my users have Roaming Profiles, nor do these users log in "locally" to any client; they can only log in using their domain account. Moreover, I am familiar with the "LOG ON TO" setting on the user account, but I was hoping there was a way to manage this via Group Policy for the entire OU.
With that said, I now want to restrict a particular group of users to a particular group of computers.
--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.
Using Group Policy, I now wish to restrict users in the "1st_floor" security group from logging into computers located in the "floor_2" and "floor_3" OU.
Is this possible and, if so, how do I accomplish this?
Thank you in advance for your insight.
I’m running Active Directory on a Win2003 server that is our internal DC. At the current moment, any domain user can log onto any client pc that was previously joined to our domain.
For clarification, none of my users have Roaming Profiles, nor do these users log in "locally" to any client; they can only log in using their domain account. Moreover, I am familiar with the "LOG ON TO" setting on the user account, but I was hoping there was a way to manage this via Group Policy for the entire OU.
With that said, I now want to restrict a particular group of users to a particular group of computers.
--For example, let's say my building has 3 floors.
--I have grouped all users and all computers from each floor into their own OU; floor_1, floor_2 and floor_3 respectively.
--I have also added the users on the 1st floor into their own Security Group called "1st_floor", and similarly for the other 2 floors.
Using Group Policy, I now wish to restrict users in the "1st_floor" security group from logging into computers located in the "floor_2" and "floor_3" OU.
Is this possible and, if so, how do I accomplish this?
Thank you in advance for your insight.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
By the way, since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS? I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.
yes.... 21 days of no comments is the standard but... no one is there to stare every question down to find out when.
I would guess a good month or two is safe. I regular post of two will be made for comments from all parties before closing the question.
see this example if you wish
https://www.experts-exchange.com/questions/20560330/Finding-the-NetBIOS-computer-name-for-a-given-username.html
note that the example question is a year old and just being "cleaned"
I would guess a good month or two is safe. I regular post of two will be made for comments from all parties before closing the question.
see this example if you wish
https://www.experts-exchange.com/questions/20560330/Finding-the-NetBIOS-computer-name-for-a-given-username.html
note that the example question is a year old and just being "cleaned"
FunkMasterWeb,
Why not just use the GPO to disable user's access to the Display panel. Saves me loads of trouble!
;-)
Here's Ms word on it and how :
www.microsoft.com/.../ doc/tre_nt/Module%204%20-%
Why not just use the GPO to disable user's access to the Display panel. Saves me loads of trouble!
;-)
Here's Ms word on it and how :
www.microsoft.com/.../ doc/tre_nt/Module%204%20-%
ASKER
WHAT90 -- can't read your URL.
KABAAM -- are you the same person as JamesDS?
ANYONE --
Since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS? I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.
KABAAM -- are you the same person as JamesDS?
ANYONE --
Since GP can redirect the desktop folder, can it also be used to dictate the settings found in WinXP under MY COMPUTER, PROPERTIES, ADVANCED, PERFORMANCE SETTINGS? I'd like to disable all that "fisher price" curves and colors crap that is enabled by default with WinXP.
FunkMasterWeb
Firstly, I am not Kabaam - I wish I had his patience.
Secondly the solution I posted does fix your problem as I do the exact thing here
Lastly, I believe you have already posted your "fisher price" question elsewhere
Cheers
JamesDS
Firstly, I am not Kabaam - I wish I had his patience.
Secondly the solution I posted does fix your problem as I do the exact thing here
Lastly, I believe you have already posted your "fisher price" question elsewhere
Cheers
JamesDS
FMW,
What is your goal here? Something does not look right. As James pointed out above, this the exact same question as posted by CrimeScene, now you are posting an exact copy of another open question in the topic area.
It appears to me that you are reasking questions to get the answers to post in the original question.
I am confused by your motives here.
What is your goal here? Something does not look right. As James pointed out above, this the exact same question as posted by CrimeScene, now you are posting an exact copy of another open question in the topic area.
It appears to me that you are reasking questions to get the answers to post in the original question.
I am confused by your motives here.
ASKER
KABAAM -- not sure who you are or why you're posting non-answers to my post. But thanks for clarifying my off-topic question.
AndyITsupport -- I don't know what you're talking about, as I only have one account. I do, however, browse for anwsers and often copy other people's wording if it suits me. Don't I have the right to do that?
JamesDS -- thanks for your solution.
AndyITsupport -- I don't know what you're talking about, as I only have one account. I do, however, browse for anwsers and often copy other people's wording if it suits me. Don't I have the right to do that?
JamesDS -- thanks for your solution.
ASKER
Also, my "fisher price" questions appears twice within this very same question/post. So, in fact, you did see it twice. Am I not allowed to repeat a question within the same post either?
ASKER
I'm not related to other question, just had similar question and the wording fit.
I will try your solution in the next day or so. If it works, I will accept your answer.
By the way, how long do I have to accept an answer? Will this website ever close an open question and/or award points without my interaction?
Thanks.