Solved

Restrict AD Computer Group logins?

Posted on 2010-09-23
3
289 Views
Last Modified: 2012-05-10
I want several of my domain workstations to only be able to be logged into by a certain group.  I am not sure how to make this happen.  I am thinking I can use a GPO "Restricted Groups" to make this happen but am not sure how to keep regular domain users out.   I do not want to do this at the local profile/user level the authorized users need their network access.  Would I have to place the workstation into its own container and then apply the restricted groups policy to that container, would that keep those that are not part of the group out?

Examples: In other words I have a domain workstation that I only want to be able to be logged onto by those that are part of the security group called "Board room users" and exclude those that are not part of that group or of course Domain Admins.

All assistance is appreciated. Thank you!
0
Comment
Question by:jelter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33747283
Restricted groups are more for defining members of the local groups (like the local admin group for example)

what you can do is configure the Allow logon locally user right

http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

Create a GPO that only applies to those machines and add admins and Board Room users only.

Thanks
Mike
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 33747999
You're on the right track. You would create a separate OU and dump that computer in it. Then you'd have to create a new GPO for that workstation with some of the below configurations. If you've got inherited GPO's you'd need to make sure the new GPO overrides the original settings by making sure it's set to "enforced".

After creating the policy and gpupdate the machine, you can run RSoP on the machine to ensure it's getting the proper policies from the right GPO.

Some additional settings to consider, if you want to further lock it down:

Access this computer from the network
Allow log on through Terminal Services (if enabled)
Deny access to this computer from the network
Deny logon locally
Deny log on through Terminal Services (if enabled)
Log on locally

*Note that the deny always takes precedence.
0
 

Author Closing Comment

by:jelter
ID: 33798696
...
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question