Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Limit logon rights

Posted on 2014-03-10
3
Medium Priority
?
227 Views
Last Modified: 2014-03-10
I would like to limit the right to logon to client workstations based on group membership. For example marketing users should only be able to logon to marketing workstations, sales users to sales workstations etc.

How can I achieve this result without creating an OU for every department?
0
Comment
Question by:albatros99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39917956
You could split the workstations into separate OUs based on group (Marketing PCs, Sales PCs, etc)

You can then apply a group policy "allow logon locally"

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

have only those members (create a group) have that right.

If you have all your workstations in one OU you can use security filtering and the policies only apply to certain PCs.  In my opinion splitting it up makes it easier to troubleshoot.

Thanks

Mike
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39917966
In AD user account tab you can assign only log onto these computers but that might be just as much work
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 2000 total points
ID: 39918308
Hi,

It is highly recommended to use OU to achieve such goals.

Although if you want to manage it without OU. Then please understand the given solution properly and take the proper backup of you domain controllers.

1.      Create 4 Security Groups.
    a)      Sales_Users
    b)      Marketing_Users
    c)      Sales_Computers
    d)      Marketing_Computers

2.      Put all users and machines to their respective group.

3.      Create 2 group policy
    a)      Allow login for Sales
    b)      Allow login for Marketing

4.      Edit "Allow login for Sales"  policy, go to "allow logon locally policy" and add  Sales_Users group.

5.      Edit "Allow login for Marketing"  policy, go to "allow logon locally policy" and add  Marketing_Users group

6.      Now go to "Group policy management console", select the "Allow login for Sales" policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Marketing_Computers" and provide "Deny" rights.
    b)      Add " Sales_Computers" and provide "Allow" rights.

7.      Now select the "Allow login for Marketing " policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Sales_Computers" and provide "Deny" rights.
    b)      Add " Marketing_Computers" and provide "Allow" rights

8.      Run Gpupdate /Force and check.

Again, Please test it before applying in production environment.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question