Solved

How do I restrict Netbook to a single domain user based on Computer name

Posted on 2011-09-14
5
318 Views
Last Modified: 2012-05-12
Dear team

We have 1500 student netbooks floating around at our school which has Windows 7 working fine . Problem we are having is other students who do not have netbooks using their friends netbooks which we wanted to stop happening this.

Netbooks are named in yr7-abc0001 format where abc0001 is their student ID. This student ID is also their domain user account which is used to logon to their netbooks. So I need some kind of assistance where I can lock the netbook to the owner so others cant logon.

Has anyone came across to sort this out,, any script that we can implement to stop other students using the netbooks.

I had no luck with VB scripting.... please help help
0
Comment
Question by:balwynhigh
  • 2
  • 2
5 Comments
 
LVL 10

Expert Comment

by:gaurav05
Comment Utility
Hi,

1) right click on active directory users name

2) go to account tab

3) click on Log on to button

4) it will open logon workstation window.

5) add computer name for that particular user or student.

now only that particular user can login into that netbook.

i also attach the screen shot.

is there any issues let me know.


ScreenShot005.bmp
0
 
LVL 6

Accepted Solution

by:
netjgrnaut earned 500 total points
Comment Utility
"now only that particular user can login into that netbook"

should say

"now  that particular user can login into that netbook *only*"

The solution shown restricts where the USER can logon; not who can logon to that COMPUTER.  Other users (who aren't so restricted) can still logon to that computer.  This would only work if you apply the setting to *every* student.

If I understand you, you want to make sure that only a particular student (plus some set of grown-ups - support staff, etc) can logon to each netbook.

I recommend using AD Group Policy to restrict interactive logon to only local Administrators, plus a new local group (created on each computer) called "AssignedStudent" or somesuch.

Then, either in device deployment or after the fact, you'd script adding a single domain user to this AssignedStudent local group.  The same script can be run on all computers, as it will build the name of the AD user to add to the local group (student account) from the laptop name.

Ideas for scripting to pull the laptop name and add a user to a local group using PowerShell can be found here:

Get Computer Name (and put it in a variable)

Add domain user to local group

Hope that gives you some ideas about how to solve this problem.
0
 

Author Comment

by:balwynhigh
Comment Utility
Yes the solution which was posted by Gaurov restricts the USER to where he can logon and not who can logon to the computer.

I would be able to setup the above solution in answer file when I image the new netbooks.

However I need a solution to fix the existing 600 netbooks with able to restrict only the owner of the netbook can logon and not others.

Work I have done so far which I am hoping you guys can shed some light on this:::

-- with Group policy I have removed Authenticated Users, Interactive, Domain Users from LOCAL USERS group. Which stopped domain users to be able to logon
-- Created a VB script to add domain user based on computer name (Luckily we have included students logon IDs in the computer name).. I was able to fetch the username from Computer name but the Problem with this script is It wouldn't add the user to LOCAL USERS group. I am thinking that it needs domain authentication for adding a domain user to LOCAL USERS group(domain\username).

Please can someone look at the code attached and modify so that it meets our requirements. Even if you guys can provide me powershell script to achieve this task much appreciated.

Thanks in anticipation.




Option Explicit 
Dim objAdmins, objUser, strComputer, userName, wshShell

Set wshShell = WScript.CreateObject( "WScript.Shell" )
strComputer = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
WScript.Echo "Computer Name: " & strComputer

On Error Resume Next

Set objAdmins = GetObject("WinNT://" & strComputer & "/Users")

userName = Right(strComputer,8)

WScript.Echo "uSER Name: " & userName
Set objUser = GetObject("WinNT://balwynhs" & "/" & userName)
 
objAdmins.Add(objUser.ADsPath)

Open in new window

0
 
LVL 6

Expert Comment

by:netjgrnaut
Comment Utility
Try something like this...

Option Explicit

Dim objLocalGroup, objDomainUser

' Bind to local group object.
Set objLocalGroup = GetObject("WinNT://MyComputer/MyGroup,group")

' Bind to domain user object.
Set objDomainUser = GetObject("WinNT://MyDomain/JSmith,user")

' Check if user already a member of group.
If (objLocalGroup.IsMember(objDomainUser.ADsPath) = False) Then
    ' Add domain user to local group.
    objLocalGroup.Add(objDomainUser.ADsPath)
End If 

Open in new window


More discussion around this topic available here:
http://social.technet.microsoft.com/Forums/en/ITCG/thread/7b7a57f9-a498-4d19-bea0-afa18098cb97

Hope that does the trick!
0
 

Author Comment

by:balwynhigh
Comment Utility
Thanks for all your hints.

I got it working by building a powershell script and that worked great.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Article by: Lee
Windows 7 Ultimate and Enterprise (and 2008 R2) introduced a new feature you may not be aware of - Boot from VHD.   Boot from VHD (or what Microsoft refers to asNative Boot allows you to install Windows to a VHD (Virtual Hard Disk) file that is t…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now