Solved

Restrict AD Computer Group logins?

Posted on 2010-09-23
3
284 Views
Last Modified: 2012-05-10
I want several of my domain workstations to only be able to be logged into by a certain group.  I am not sure how to make this happen.  I am thinking I can use a GPO "Restricted Groups" to make this happen but am not sure how to keep regular domain users out.   I do not want to do this at the local profile/user level the authorized users need their network access.  Would I have to place the workstation into its own container and then apply the restricted groups policy to that container, would that keep those that are not part of the group out?

Examples: In other words I have a domain workstation that I only want to be able to be logged onto by those that are part of the security group called "Board room users" and exclude those that are not part of that group or of course Domain Admins.

All assistance is appreciated. Thank you!
0
Comment
Question by:jelter
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33747283
Restricted groups are more for defining members of the local groups (like the local admin group for example)

what you can do is configure the Allow logon locally user right

http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

Create a GPO that only applies to those machines and add admins and Board Room users only.

Thanks
Mike
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 33747999
You're on the right track. You would create a separate OU and dump that computer in it. Then you'd have to create a new GPO for that workstation with some of the below configurations. If you've got inherited GPO's you'd need to make sure the new GPO overrides the original settings by making sure it's set to "enforced".

After creating the policy and gpupdate the machine, you can run RSoP on the machine to ensure it's getting the proper policies from the right GPO.

Some additional settings to consider, if you want to further lock it down:

Access this computer from the network
Allow log on through Terminal Services (if enabled)
Deny access to this computer from the network
Deny logon locally
Deny log on through Terminal Services (if enabled)
Log on locally

*Note that the deny always takes precedence.
0
 

Author Closing Comment

by:jelter
ID: 33798696
...
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question