Solved

Restrict AD Computer Group logins?

Posted on 2010-09-23
3
286 Views
Last Modified: 2012-05-10
I want several of my domain workstations to only be able to be logged into by a certain group.  I am not sure how to make this happen.  I am thinking I can use a GPO "Restricted Groups" to make this happen but am not sure how to keep regular domain users out.   I do not want to do this at the local profile/user level the authorized users need their network access.  Would I have to place the workstation into its own container and then apply the restricted groups policy to that container, would that keep those that are not part of the group out?

Examples: In other words I have a domain workstation that I only want to be able to be logged onto by those that are part of the security group called "Board room users" and exclude those that are not part of that group or of course Domain Admins.

All assistance is appreciated. Thank you!
0
Comment
Question by:jelter
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33747283
Restricted groups are more for defining members of the local groups (like the local admin group for example)

what you can do is configure the Allow logon locally user right

http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

Create a GPO that only applies to those machines and add admins and Board Room users only.

Thanks
Mike
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
ID: 33747999
You're on the right track. You would create a separate OU and dump that computer in it. Then you'd have to create a new GPO for that workstation with some of the below configurations. If you've got inherited GPO's you'd need to make sure the new GPO overrides the original settings by making sure it's set to "enforced".

After creating the policy and gpupdate the machine, you can run RSoP on the machine to ensure it's getting the proper policies from the right GPO.

Some additional settings to consider, if you want to further lock it down:

Access this computer from the network
Allow log on through Terminal Services (if enabled)
Deny access to this computer from the network
Deny logon locally
Deny log on through Terminal Services (if enabled)
Log on locally

*Note that the deny always takes precedence.
0
 

Author Closing Comment

by:jelter
ID: 33798696
...
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question