Group Policy LSDOU

If I understand AD GPO works in the hierarchy of LSDOU.
if there are conflicting settings always the settings applied at the last object win:
well, if I need to dedicate some computers , either workstation or servers to just a group of people to be able to login into, do I need to put those computers in a separate OU and change the user right assignment  lo Allow login locally to just to a specific group ?
or whether there is another way to leave the computers where they are among other computers and come up with another idea ?

Thank you
Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
Apply both Deny logon locally and deny log on through Terminal Services

I will recommend to set the GPO on OU and move the computers/servers in question to this OU for easy managibilty.However you need to ensure that other policy template if any applied to orginal OU needs to be applied to new OU too.

You can apply security filtering choice is yours.I will recommend first create test OU and apply the policy move couple of computer and test.Once sucessfully apply the policy as per requirement.
alicainConnect With a Mentor Commented:

Note that User Rights Assignments are NOT cumulative.  So you will need to look at how they are defined in other policeis that apply to these objects and also include them in the policy you apply here.

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Mohammed KhawajaConnect With a Mentor Manager - Infrastructure:  Information TechnologyCommented:
You can leave the computefs where they are.  Create your GPO, apply it at the top level of your OU (lets assume computers OU under which you have created.other OUs such as servers and pcs) and then select the group.created instead of domain users or domain computers
Sushil SonawaneConnect With a Mentor Commented:
The best practices is to put those computers in a separate OU and change the user right assignment  lo Allow login locally or apply through group policy.
Sarang TinguriaConnect With a Mentor Sr EngineerCommented:
Your plan is good and simple but one other way is

Create GPO with that specific setting
Link it to domain
Set on top priority among other policy defined in domain.
Set security filtering to apply that GPO only to those specific workstations and servers

If moving Servers was from its original OU was not that critical to me then I would have followed your Plan but Moving computer object is headache in my environment then I would have followed  the above plan given by me
jskfanAuthor Commented:
thank you Guys
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.