Solved

Restrict Logon to Computers in an Organizational Unit

Posted on 2007-03-22
4
958 Views
Last Modified: 2012-06-27
I am running a winodws 2003 forest with only one domain. In this domain I have created three Organizational Units for the purpose of grouping my computers in the domain namely OU1, OU2, OU3. Each of these Organizational Units consists of about 500 Computers. I also have created three more Organizational Units for the purpose of grouping my users namely UserGroup1, UserGroup2, UserGroup3. Currently what any user can logon to any computer. I now want to device a policies which would only allow 1) UserGroup1 to only Logon to OU1     2) UserGroup2 to only Logon to OU2    3) UserGroup3 to only logon to OU3. That is to say I do not want users in UserGroup1 to be able to logon to computers that are in OU3. How do I implement such a policy.  
0
Comment
Question by:nyathim
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18772220
I can't think of any way in which this can be done with group policy.
0
 
LVL 19

Accepted Solution

by:
aissim earned 250 total points
ID: 18773460
Give this a try:
First you'll have to create 3 security groups - one for each of your user OU's (we'll say SecUser1, SecUser2, SecUser3). Then you'll create three different GPO's, one assigned to each of your computer OU's.
Edit each of the GPO's and navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | 'Allow log on locally'....define this setting and only allow SecUser1 group for the OU1 GPO.....SecUser2 group for the OU2 GPO...etc.

Good luck!
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 18773674
in addition to what asissim said: this policy setting won't allow you to only allow secuser1 etc.; it will require that Administrators should also be granted this permission. So you add local administrators; then you will have to ensure that local administrators group on all machines does not include domain users.
0
 
LVL 19

Expert Comment

by:aissim
ID: 18773883
Good point! Forgot that part...
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now