Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Restrict Logon to Computers in an Organizational Unit

Posted on 2007-03-22
4
962 Views
Last Modified: 2012-06-27
I am running a winodws 2003 forest with only one domain. In this domain I have created three Organizational Units for the purpose of grouping my computers in the domain namely OU1, OU2, OU3. Each of these Organizational Units consists of about 500 Computers. I also have created three more Organizational Units for the purpose of grouping my users namely UserGroup1, UserGroup2, UserGroup3. Currently what any user can logon to any computer. I now want to device a policies which would only allow 1) UserGroup1 to only Logon to OU1     2) UserGroup2 to only Logon to OU2    3) UserGroup3 to only logon to OU3. That is to say I do not want users in UserGroup1 to be able to logon to computers that are in OU3. How do I implement such a policy.  
0
Comment
Question by:nyathim
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18772220
I can't think of any way in which this can be done with group policy.
0
 
LVL 19

Accepted Solution

by:
aissim earned 250 total points
ID: 18773460
Give this a try:
First you'll have to create 3 security groups - one for each of your user OU's (we'll say SecUser1, SecUser2, SecUser3). Then you'll create three different GPO's, one assigned to each of your computer OU's.
Edit each of the GPO's and navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | 'Allow log on locally'....define this setting and only allow SecUser1 group for the OU1 GPO.....SecUser2 group for the OU2 GPO...etc.

Good luck!
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 18773674
in addition to what asissim said: this policy setting won't allow you to only allow secuser1 etc.; it will require that Administrators should also be granted this permission. So you add local administrators; then you will have to ensure that local administrators group on all machines does not include domain users.
0
 
LVL 19

Expert Comment

by:aissim
ID: 18773883
Good point! Forgot that part...
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question