Restrict User Login To Specific PCs (lots of them, need an easy way)

I have school with 200 PCs in it.  I want to restrict 400+ student user accounts to only the PCs within their building.  How do I do this without going through every account profile in AD and adding every specific PC?
LVL 1
januismerAsked:
Who is Participating?
 
yomeriuxCommented:
The easiest way is to make groups on your Domain and add those groups to the PC's where you want the users to log in, this can be made adding all the PC's to a localized OU, creating a GPO with access rights to the group of users and adding it to the OU of PC's.  You can read some more here:

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/0577ad27-2aec-4073-8bb5-e5baed78b66c
0
 
Vinchenzo-the-SecondCommented:
I would use GPO Restricted Groups.  You need separate the computer accounts by buildings by creating OUs.  Create a security group to place the users in who you want to give local admin access to a specific building.  Create a GPO and link it the building name OU.  Configure Restricted Groups; add the Administrators group, then add the security group to this, along with the local admin account and domain admins.  This GPO will push these groups to local admin group on all the workstations within the OU
0
 
kevinhsiehCommented:
There isn't a great way to do this. By default, any domain user can logon to any domain PC (not server). You can modify the User Rights Assignments on PCs via group policy fow who can logon locally, and who is denied local logon. You can approach it from either direction, but remember that you need to remember teachers, staff, and computer administrators. If you do the deny route, you can deny for all of your students that should be prohibited. If you change the allow route, you need to include the students, teachers, and staff in the allow list. What I would do is create a domain local group all users groups that represents the allowed or denied users. I would apply that to to a GPO to applies to all PCs in the building. Repeat for all other buildings. Remember that a deny takes precedence of permit.

To get to user rights assignment in GPO, Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment.

Be very careful, you can get yourself into a lot of trouble here!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.