Restrict User Login To Specific PCs (lots of them, need an easy way)

Posted on 2011-05-13
Last Modified: 2012-05-11
I have school with 200 PCs in it.  I want to restrict 400+ student user accounts to only the PCs within their building.  How do I do this without going through every account profile in AD and adding every specific PC?
Question by:januismer
    LVL 14

    Expert Comment

    I would use GPO Restricted Groups.  You need separate the computer accounts by buildings by creating OUs.  Create a security group to place the users in who you want to give local admin access to a specific building.  Create a GPO and link it the building name OU.  Configure Restricted Groups; add the Administrators group, then add the security group to this, along with the local admin account and domain admins.  This GPO will push these groups to local admin group on all the workstations within the OU

    Accepted Solution

    The easiest way is to make groups on your Domain and add those groups to the PC's where you want the users to log in, this can be made adding all the PC's to a localized OU, creating a GPO with access rights to the group of users and adding it to the OU of PC's.  You can read some more here:
    LVL 41

    Assisted Solution

    There isn't a great way to do this. By default, any domain user can logon to any domain PC (not server). You can modify the User Rights Assignments on PCs via group policy fow who can logon locally, and who is denied local logon. You can approach it from either direction, but remember that you need to remember teachers, staff, and computer administrators. If you do the deny route, you can deny for all of your students that should be prohibited. If you change the allow route, you need to include the students, teachers, and staff in the allow list. What I would do is create a domain local group all users groups that represents the allowed or denied users. I would apply that to to a GPO to applies to all PCs in the building. Repeat for all other buildings. Remember that a deny takes precedence of permit.

    To get to user rights assignment in GPO, Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignment.

    Be very careful, you can get yourself into a lot of trouble here!

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    With the higher take up rate of SAN’s, virtualisation etc, windows devices with more than one network interface are becoming more common.  As a general rule when a service that is installed on a Windows operating system is running, it only listens o…
    I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
    This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
    This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now