Solved

Want to allow users to logon only to certain computers.

Posted on 2008-10-20
4
517 Views
Last Modified: 2012-05-05
I am looking to grant access to a generic lab user account to be able to logon only to one of our many lab computers.  I know I can use the sub "Logon To" tab under the user "Account" tab in ADUC to do this, but it appears that I can only add 1 PC at a time.  We have 100's of lab PCs, so I am looking for a way to do this through a text file, or some other process.

Thanks
0
Comment
Question by:SavedbyGrace
4 Comments
 
LVL 5

Accepted Solution

by:
DecKen earned 250 total points
Comment Utility
How about doing the following:

Place all the Lab workstations into one OU in Active Directory (eg Domain\Lab Workstations).
Add your generic Lab account into a new OU such as Domain\Lab Accounts
Remove the Lab account from Domain\Domain Users group
Edit group policy for Domain\Lab Workstations to include Domain\Lab Accounts in the User group of all workstations in that OU

This will mean the generic account should be able to log into all Workstatins in that OU and not log into any other workstations in the domain.
 
0
 
LVL 11

Assisted Solution

by:AnthonyP9618
AnthonyP9618 earned 250 total points
Comment Utility
A true lab should be completely separate from your production network, but I understand that this is not possible in all situations.  However, if you can... please, please, please keep them separate.

Here's what I would do....

Move the machines to their own OU, it would probably make sense to create the new OU somewhere under the current location of your Domain Computers.  For example, if your Domain Computers are located at contoso.com\Managed Computers, you would create a Lab OU at contoso.com\Managed Computers\Lab.  The reason for this is so that we can use inheritance.

Create a new GPO and link it to the new OU and give it a descriptive name.

Edit the GPO, under the User Rights Assignment, set the "Log On Locally" policy and only add the accounts you want to login to the computers you just moved to the Lab OU.  

When the computers finally get the policy updates, only the user accounts you added to the "Log on Locally" policy will be able to logon to the computer.  I would also suggest that you add an Administrative group to the same policy as well.  Domain Admins, or Lab Administrators...

Hope that helps.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now