leonst
asked on
Restrict computers to specific user accounts in AD
Hi,
I'm familiar with the user account option to restrict use of the account to a list of named computers.
What I want to do is the opposite. For certain computers I only want certain accounts to have access.
E.g. User U1 can login to all computers, but user U2 can log into most computers not five of them.
I could do this by setting allowed workstations for every account but, apart from being a lot work, this seems a clumsy solution.
Is there a better way?
W2003 domain, XP Pro clients.
Thanks,
Leon...
I'm familiar with the user account option to restrict use of the account to a list of named computers.
What I want to do is the opposite. For certain computers I only want certain accounts to have access.
E.g. User U1 can login to all computers, but user U2 can log into most computers not five of them.
I could do this by setting allowed workstations for every account but, apart from being a lot work, this seems a clumsy solution.
Is there a better way?
W2003 domain, XP Pro clients.
Thanks,
Leon...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I found this article:
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/localpol/w2kadm12.mspx
and worked out that the policy I wanted was Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Logon Locally.
By specifying one group for this it seems to work fine.