Solved

Restrict Logon to Computers in an Organizational Unit

Posted on 2007-03-22
4
960 Views
Last Modified: 2012-06-27
I am running a winodws 2003 forest with only one domain. In this domain I have created three Organizational Units for the purpose of grouping my computers in the domain namely OU1, OU2, OU3. Each of these Organizational Units consists of about 500 Computers. I also have created three more Organizational Units for the purpose of grouping my users namely UserGroup1, UserGroup2, UserGroup3. Currently what any user can logon to any computer. I now want to device a policies which would only allow 1) UserGroup1 to only Logon to OU1     2) UserGroup2 to only Logon to OU2    3) UserGroup3 to only logon to OU3. That is to say I do not want users in UserGroup1 to be able to logon to computers that are in OU3. How do I implement such a policy.  
0
Comment
Question by:nyathim
  • 2
4 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 18772220
I can't think of any way in which this can be done with group policy.
0
 
LVL 19

Accepted Solution

by:
aissim earned 250 total points
ID: 18773460
Give this a try:
First you'll have to create 3 security groups - one for each of your user OU's (we'll say SecUser1, SecUser2, SecUser3). Then you'll create three different GPO's, one assigned to each of your computer OU's.
Edit each of the GPO's and navigate to Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | 'Allow log on locally'....define this setting and only allow SecUser1 group for the OU1 GPO.....SecUser2 group for the OU2 GPO...etc.

Good luck!
0
 
LVL 40

Expert Comment

by:Vadim Rapp
ID: 18773674
in addition to what asissim said: this policy setting won't allow you to only allow secuser1 etc.; it will require that Administrators should also be granted this permission. So you add local administrators; then you will have to ensure that local administrators group on all machines does not include domain users.
0
 
LVL 19

Expert Comment

by:aissim
ID: 18773883
Good point! Forgot that part...
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question