Solved

Restrict Logon to Computers in an Organizational Unit

Posted on 2007-03-22
4
966 Views
Last Modified: 2012-06-27
I am running a winodws 2003 forest with only one domain. In this domain I have created three Organizational Units for the purpose of grouping my computers in the domain namely OU1, OU2, OU3. Each of these Organizational Units consists of about 500 Computers. I also have created three more Organizational Units for the purpose of grouping my users namely UserGroup1, UserGroup2, UserGroup3. Currently what any user can logon to any computer. I now want to device a policies which would only allow 1) UserGroup1 to only Logon to OU1     2) UserGroup2 to only Logon to OU2    3) UserGroup3 to only logon to OU3. That is to say I do not want users in UserGroup1 to be able to logon to computers that are in OU3. How do I implement such a policy.  
0
Comment
Question by:nyathim
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18772220
I can't think of any way in which this can be done with group policy.
0
 
LVL 19

Accepted Solution

by:
aissim earned 250 total points
ID: 18773460
Give this a try:
First you'll have to create 3 security groups - one for each of your user OU's (we'll say SecUser1, SecUser2, SecUser3). Then you'll create three different GPO's, one assigned to each of your computer OU's.
Edit each of the GPO's and navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | 'Allow log on locally'....define this setting and only allow SecUser1 group for the OU1 GPO.....SecUser2 group for the OU2 GPO...etc.

Good luck!
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 18773674
in addition to what asissim said: this policy setting won't allow you to only allow secuser1 etc.; it will require that Administrators should also be granted this permission. So you add local administrators; then you will have to ensure that local administrators group on all machines does not include domain users.
0
 
LVL 19

Expert Comment

by:aissim
ID: 18773883
Good point! Forgot that part...
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Learn about cloud computing and its benefits for small business owners.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question