[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Restrict User Login To Specific PCs (lots of them, need an easy way)

Posted on 2011-05-13
3
Medium Priority
?
783 Views
Last Modified: 2012-05-11
I have school with 200 PCs in it.  I want to restrict 400+ student user accounts to only the PCs within their building.  How do I do this without going through every account profile in AD and adding every specific PC?
0
Comment
Question by:januismer
3 Comments
 
LVL 14

Expert Comment

by:Vinchenzo-the-Second
ID: 35755151
I would use GPO Restricted Groups.  You need separate the computer accounts by buildings by creating OUs.  Create a security group to place the users in who you want to give local admin access to a specific building.  Create a GPO and link it the building name OU.  Configure Restricted Groups; add the Administrators group, then add the security group to this, along with the local admin account and domain admins.  This GPO will push these groups to local admin group on all the workstations within the OU
0
 

Accepted Solution

by:
yomeriux earned 1600 total points
ID: 35755421
The easiest way is to make groups on your Domain and add those groups to the PC's where you want the users to log in, this can be made adding all the PC's to a localized OU, creating a GPO with access rights to the group of users and adding it to the OU of PC's.  You can read some more here:

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/0577ad27-2aec-4073-8bb5-e5baed78b66c
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 400 total points
ID: 35756804
There isn't a great way to do this. By default, any domain user can logon to any domain PC (not server). You can modify the User Rights Assignments on PCs via group policy fow who can logon locally, and who is denied local logon. You can approach it from either direction, but remember that you need to remember teachers, staff, and computer administrators. If you do the deny route, you can deny for all of your students that should be prohibited. If you change the allow route, you need to include the students, teachers, and staff in the allow list. What I would do is create a domain local group all users groups that represents the allowed or denied users. I would apply that to to a GPO to applies to all PCs in the building. Repeat for all other buildings. Remember that a deny takes precedence of permit.

To get to user rights assignment in GPO, Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment.

Be very careful, you can get yourself into a lot of trouble here!
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question