Solved

Lockout

Posted on 2006-11-14
5
207 Views
Last Modified: 2010-04-11
I just found out from our security admin that one cannot apply a local policy on an XP box to a group in Active Directory.  This creates a particular challenge for us.  This is what I am trying to do.

Task:  Disallow most domain users from logging in to the domain on 6 individual computers.
    Exceptions to this:
           Domain Admins
           10 specific users whos names will change over time
0
Comment
Question by:tedpenner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 38

Accepted Solution

by:
Shift-3 earned 250 total points
ID: 17942159
1. Create a new security group and add the 10 desired users.

2. Add the 6 restricted computers to an OU.  To preserve other policies it might be simplest to create a new OU under the one they're currently in.

3. Create a new Group Policy Object and configure the setting "Log on locally" under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.  Add Domain Admins and the group from Step 1.

4. Link this GPO to the OU containing the restricted workstations.

5. (optional) Run gpupdate /force on the restricted workstations if you want the settings to be applied immediately.

When you want to change the list of allowed users just modify the membership of the security group.
0
 
LVL 3

Assisted Solution

by:mahe2000
mahe2000 earned 250 total points
ID: 17983157
You don't need to create a new OU, you just need to setup the correct permissions for the GPO, just set the apply policy permission to the machine account or to a group of computer accounts.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question