Solved

Restrict AD Computer Group logins?

Posted on 2010-09-23
3
278 Views
Last Modified: 2012-05-10
I want several of my domain workstations to only be able to be logged into by a certain group.  I am not sure how to make this happen.  I am thinking I can use a GPO "Restricted Groups" to make this happen but am not sure how to keep regular domain users out.   I do not want to do this at the local profile/user level the authorized users need their network access.  Would I have to place the workstation into its own container and then apply the restricted groups policy to that container, would that keep those that are not part of the group out?

Examples: In other words I have a domain workstation that I only want to be able to be logged onto by those that are part of the security group called "Board room users" and exclude those that are not part of that group or of course Domain Admins.

All assistance is appreciated. Thank you!
0
Comment
Question by:jelter
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Restricted groups are more for defining members of the local groups (like the local admin group for example)

what you can do is configure the Allow logon locally user right

http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx

Create a GPO that only applies to those machines and add admins and Board Room users only.

Thanks
Mike
0
 
LVL 16

Accepted Solution

by:
ThinkPaper earned 500 total points
Comment Utility
You're on the right track. You would create a separate OU and dump that computer in it. Then you'd have to create a new GPO for that workstation with some of the below configurations. If you've got inherited GPO's you'd need to make sure the new GPO overrides the original settings by making sure it's set to "enforced".

After creating the policy and gpupdate the machine, you can run RSoP on the machine to ensure it's getting the proper policies from the right GPO.

Some additional settings to consider, if you want to further lock it down:

Access this computer from the network
Allow log on through Terminal Services (if enabled)
Deny access to this computer from the network
Deny logon locally
Deny log on through Terminal Services (if enabled)
Log on locally

*Note that the deny always takes precedence.
0
 

Author Closing Comment

by:jelter
Comment Utility
...
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now