Solved

Want to allow users to logon only to certain computers.

Posted on 2008-10-20
4
532 Views
Last Modified: 2012-05-05
I am looking to grant access to a generic lab user account to be able to logon only to one of our many lab computers.  I know I can use the sub "Logon To" tab under the user "Account" tab in ADUC to do this, but it appears that I can only add 1 PC at a time.  We have 100's of lab PCs, so I am looking for a way to do this through a text file, or some other process.

Thanks
0
Comment
Question by:SavedbyGrace
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 5

Accepted Solution

by:
DecKen earned 250 total points
ID: 22763544
How about doing the following:

Place all the Lab workstations into one OU in Active Directory (eg Domain\Lab Workstations).
Add your generic Lab account into a new OU such as Domain\Lab Accounts
Remove the Lab account from Domain\Domain Users group
Edit group policy for Domain\Lab Workstations to include Domain\Lab Accounts in the User group of all workstations in that OU

This will mean the generic account should be able to log into all Workstatins in that OU and not log into any other workstations in the domain.
 
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 250 total points
ID: 22763995
A true lab should be completely separate from your production network, but I understand that this is not possible in all situations.  However, if you can... please, please, please keep them separate.

Here's what I would do....

Move the machines to their own OU, it would probably make sense to create the new OU somewhere under the current location of your Domain Computers.  For example, if your Domain Computers are located at contoso.com\Managed Computers, you would create a Lab OU at contoso.com\Managed Computers\Lab.  The reason for this is so that we can use inheritance.

Create a new GPO and link it to the new OU and give it a descriptive name.

Edit the GPO, under the User Rights Assignment, set the "Log On Locally" policy and only add the accounts you want to login to the computers you just moved to the Lab OU.  

When the computers finally get the policy updates, only the user accounts you added to the "Log on Locally" policy will be able to logon to the computer.  I would also suggest that you add an Administrative group to the same policy as well.  Domain Admins, or Lab Administrators...

Hope that helps.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question