We help IT Professionals succeed at work.

restrict only certain users can access a particular computer

Hi Experts,

my environment is a windows 2003 AD, almost all PCs are XP SP3 and some are windows 7. I am wondering if there is any settings that i can setup on the AD such that i can control who can access to certain computer, i know i can setup individual user logon to particular computer. However, what i want to have is the reverse, that is setup a particular computer to allow access by certain users/groups. My primary concern will be remote desktop access.

e.g. computer A only allow group A to RDP to but not group B while computer B will have the reverse permission.

is that possible to do it on the server?

thanks.
 
Comment
Watch Question

SteveArchitect/Designer

Commented:
If groups of computers would have the same settings yuo ca set up group policies to specify who can logon locally and remotely.
If PCs would have individual settings then the group policy approach would be inefficient and each PC would need amending directly.
SteveArchitect/Designer

Commented:
More info:

Set up a container for each group of computers and put the appropriate PCs in each container.
Apply a group policy to each container which specifies which user groups  are allowed or denied access locally or remotely.
Top Expert 2005
Commented:
Local logons are just that - local accounts.  Access this computer remotely only affect SMB traffic.The way to do this is to group these computers into OUs so that you can manage each set of computers centrally.Next thing to do is create Global Security Groups that contain the users that must have access to these machines.Next, use GPOs connected to each OU that utilize Restricted Groups.  What you want to do is REMOVE the domain user group (or Authenticated Users) from the local User group on each PC then add your new Security Group to the local Users group and Remote Desktop Group.  The first Restricted Group would be manually entered as Users (in the Member section at the top of the applet) then select your domain security group - this will enforce the membership of local Users by removing anything other than what you specify.The next Restricted Group would be Remote Desktop Users (manually entered) in the LOWER section of the applet.  Browse to select the domain security group that you want to access via RDP.  This will not enforce the membership of Remote Desktop but will only add the proper group.This should solve your problem.

Author

Commented:
hi Netman66,

i am a bit confus with which part of the GPO should i set it up. please can you tell me in detail?

thanks.
SteveArchitect/Designer
Commented:
Try this guide on how to use group policy as myself and netman have suggested.

http://www.frickelsoft.net/blog/?p=13
Top Expert 2005
Commented:
This explains Restricted Groups:  http://support.microsoft.com/kb/279301

This explains how to use them:  http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

What you want to do is create an OU for each group of computers that needs to be restricted (if there are more than one group that require different accees then create one OU for each).
Move the respective computers into their new OUs.
Create new Global Security Groups for each set of users that will have access to their own set of computers.
Add the proper User accounts to each new Security Group.
Create and link a new GPO to each OU.
Configure Restricted Groups for each new GPO - you'll add two per GPO.
The first group will be manually entered as Users, then using the Members of this Group you will add just your new Security group for the people that are allowed to log in.
The second Restricted Group will be the new Global Security Group you created and you will use the lower portion to add the local group this is to be a Member of (This group is a member of) the local Remote Desktop User (this must be typed in manually).

What the first Restricted Group does is clear out the membership of the local User group on each workstation under the OU where the GPO is linked and will add only your new Security Group.
The second Restricted Group simply adds itself to the Remote Desktop Users local group, but does not remove any other membership.
Top Expert 2005

Commented:
@totallytonto - with all due respect, you were infering that you would use Group Policy to control logon locally and access this computer remotely settings within User Rights Assignment.  Please refrain from suggesting that you were suggesting the same thing I had posted.  This isn't very professional.