Solved

Restrict AD Computer Group logins?

Posted on 2010-09-23
3
283 Views
Last Modified: 2012-05-10
I want several of my domain workstations to only be able to be logged into by a certain group.  I am not sure how to make this happen.  I am thinking I can use a GPO "Restricted Groups" to make this happen but am not sure how to keep regular domain users out.   I do not want to do this at the local profile/user level the authorized users need their network access.  Would I have to place the workstation into its own container and then apply the restricted groups policy to that container, would that keep those that are not part of the group out?

Examples: In other words I have a domain workstation that I only want to be able to be logged onto by those that are part of the security group called "Board room users" and exclude those that are not part of that group or of course Domain Admins.

All assistance is appreciated. Thank you!
0
Comment
Question by:jelter
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33747283
Restricted groups are more for defining members of the local groups (like the local admin group for example)

what you can do is configure the Allow logon locally user right

http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

Create a GPO that only applies to those machines and add admins and Board Room users only.

Thanks
Mike
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 33747999
You're on the right track. You would create a separate OU and dump that computer in it. Then you'd have to create a new GPO for that workstation with some of the below configurations. If you've got inherited GPO's you'd need to make sure the new GPO overrides the original settings by making sure it's set to "enforced".

After creating the policy and gpupdate the machine, you can run RSoP on the machine to ensure it's getting the proper policies from the right GPO.

Some additional settings to consider, if you want to further lock it down:

Access this computer from the network
Allow log on through Terminal Services (if enabled)
Deny access to this computer from the network
Deny logon locally
Deny log on through Terminal Services (if enabled)
Log on locally

*Note that the deny always takes precedence.
0
 

Author Closing Comment

by:jelter
ID: 33798696
...
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question