?
Solved

AD "logon to" question

Posted on 2009-02-17
8
Medium Priority
?
674 Views
Last Modified: 2012-05-06
We want to use the "logon to" option under the user's Active Directory properties to restrict access to workstations and servers.

My question is can I add stations to a group and then use the group name?  I've tried this once and it didn't work.   I did not pay close attention to the type of group object I created so maybe it's that but I'm doubtful.  It will be a real headache to add every workstation to each user.  I understand I can bulk edit this for users but it's still a lot of keying to add each workstation.  And regardless the access list will not be the same for every users.  
0
Comment
Question by:teleformix
  • 4
  • 4
8 Comments
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23666404
No, you can only add 1 computer at a time I'm afraid
0
 

Author Comment

by:teleformix
ID: 23670090
That really stinks... with the ability to create OU's, groups, etc that's a pretty stupid limitation.  Especially for larger organizations.  We recently started authenticated against AD in our Linux environment (which is quite large) and we really want and need to have the added layer of security that logon to provides.
0
 

Author Comment

by:teleformix
ID: 23670707
Can I use a wild card?  i.e. someprefix* or *.somedomain.com?
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 

Author Comment

by:teleformix
ID: 23671232
Here's what we ended up doing to solve the problem in the short term if nothing else... NOTE: adding every work station and maintaining that for every user was not an option.

We created a server group and added all of our servers.  Under the GPO for our normal users we restricted logon access to this group.  So basically we are allowing all workstations to any user and denying any server that was added to the server group.  We then created a separate GPO for the administrators.

The setting I am referring to in the GPO is:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Right Assignment | Deny log on locally

---

Thanks for the help.
0
 
LVL 47

Accepted Solution

by:
Donald Stewart earned 2000 total points
ID: 23671262
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 23671316
This could help you
 
Restrict Workstation Logons
0
 

Author Closing Comment

by:teleformix
ID: 31548299
Thanks for taking the time to help.. I've read through the links you have added and I have no reason to believe that they won't work for us.  I'm glad there's a way to get around the 8 computer limitation that net user has.  I knew there had to be a way since I know there are larger organizations out there trying to accomplish the same thing.  I was going to get some real static if we couldn't solve this since I did away with LDAP on the UNIX side of things.

I'm going to setup a test when I have some time to see what direction I want to go.  Meaning the GPO deny route or the "logon to" route.  Either way you've been a big help since I will need the "logon to" to work for some of the admins that don't get access to everything.

Again thanks for your time and help!
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question