AD "logon to" question

We want to use the "logon to" option under the user's Active Directory properties to restrict access to workstations and servers.

My question is can I add stations to a group and then use the group name?  I've tried this once and it didn't work.   I did not pay close attention to the type of group object I created so maybe it's that but I'm doubtful.  It will be a real headache to add every workstation to each user.  I understand I can bulk edit this for users but it's still a lot of keying to add each workstation.  And regardless the access list will not be the same for every users.  
teleformixAsked:
Who is Participating?
 
DonNetwork AdministratorCommented:
0
 
DonNetwork AdministratorCommented:
No, you can only add 1 computer at a time I'm afraid
0
 
teleformixAuthor Commented:
That really stinks... with the ability to create OU's, groups, etc that's a pretty stupid limitation.  Especially for larger organizations.  We recently started authenticated against AD in our Linux environment (which is quite large) and we really want and need to have the added layer of security that logon to provides.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
teleformixAuthor Commented:
Can I use a wild card?  i.e. someprefix* or *.somedomain.com?
0
 
teleformixAuthor Commented:
Here's what we ended up doing to solve the problem in the short term if nothing else... NOTE: adding every work station and maintaining that for every user was not an option.

We created a server group and added all of our servers.  Under the GPO for our normal users we restricted logon access to this group.  So basically we are allowing all workstations to any user and denying any server that was added to the server group.  We then created a separate GPO for the administrators.

The setting I am referring to in the GPO is:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Right Assignment | Deny log on locally

---

Thanks for the help.
0
 
DonNetwork AdministratorCommented:
This could help you
 
Restrict Workstation Logons
0
 
teleformixAuthor Commented:
Thanks for taking the time to help.. I've read through the links you have added and I have no reason to believe that they won't work for us.  I'm glad there's a way to get around the 8 computer limitation that net user has.  I knew there had to be a way since I know there are larger organizations out there trying to accomplish the same thing.  I was going to get some real static if we couldn't solve this since I did away with LDAP on the UNIX side of things.

I'm going to setup a test when I have some time to see what direction I want to go.  Meaning the GPO deny route or the "logon to" route.  Either way you've been a big help since I will need the "logon to" to work for some of the admins that don't get access to everything.

Again thanks for your time and help!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.