Group Policy LSDOU

If I understand AD GPO works in the hierarchy of LSDOU.
if there are conflicting settings always the settings applied at the last object win:
well, if I need to dedicate some computers , either workstation or servers to just a group of people to be able to login into, do I need to put those computers in a separate OU and change the user right assignment  lo Allow login locally to just to a specific group ?
or whether there is another way to leave the computers where they are among other computers and come up with another idea ?

Thank you
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Note that User Rights Assignments are NOT cumulative.  So you will need to look at how they are defined in other policeis that apply to these objects and also include them in the policy you apply here.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You can leave the computefs where they are.  Create your GPO, apply it at the top level of your OU (lets assume computers OU under which you have created.other OUs such as servers and pcs) and then select the group.created instead of domain users or domain computers
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Sushil SonawaneCommented:
The best practices is to put those computers in a separate OU and change the user right assignment  lo Allow login locally or apply through group policy.
Your plan is good and simple but one other way is

Create GPO with that specific setting
Link it to domain
Set on top priority among other policy defined in domain.
Set security filtering to apply that GPO only to those specific workstations and servers

If moving Servers was from its original OU was not that critical to me then I would have followed your Plan but Moving computer object is headache in my environment then I would have followed  the above plan given by me
SandeshdubeySenior Server EngineerCommented:
Apply both Deny logon locally and deny log on through Terminal Services

I will recommend to set the GPO on OU and move the computers/servers in question to this OU for easy managibilty.However you need to ensure that other policy template if any applied to orginal OU needs to be applied to new OU too.

You can apply security filtering choice is yours.I will recommend first create test OU and apply the policy move couple of computer and test.Once sucessfully apply the policy as per requirement.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
thank you Guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.