Solved

Limit logon rights

Posted on 2014-03-10
3
214 Views
Last Modified: 2014-03-10
I would like to limit the right to logon to client workstations based on group membership. For example marketing users should only be able to logon to marketing workstations, sales users to sales workstations etc.

How can I achieve this result without creating an OU for every department?
0
Comment
Question by:albatros99
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39917956
You could split the workstations into separate OUs based on group (Marketing PCs, Sales PCs, etc)

You can then apply a group policy "allow logon locally"

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

have only those members (create a group) have that right.

If you have all your workstations in one OU you can use security filtering and the policies only apply to certain PCs.  In my opinion splitting it up makes it easier to troubleshoot.

Thanks

Mike
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39917966
In AD user account tab you can assign only log onto these computers but that might be just as much work
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 500 total points
ID: 39918308
Hi,

It is highly recommended to use OU to achieve such goals.

Although if you want to manage it without OU. Then please understand the given solution properly and take the proper backup of you domain controllers.

1.      Create 4 Security Groups.
    a)      Sales_Users
    b)      Marketing_Users
    c)      Sales_Computers
    d)      Marketing_Computers

2.      Put all users and machines to their respective group.

3.      Create 2 group policy
    a)      Allow login for Sales
    b)      Allow login for Marketing

4.      Edit "Allow login for Sales"  policy, go to "allow logon locally policy" and add  Sales_Users group.

5.      Edit "Allow login for Marketing"  policy, go to "allow logon locally policy" and add  Marketing_Users group

6.      Now go to "Group policy management console", select the "Allow login for Sales" policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Marketing_Computers" and provide "Deny" rights.
    b)      Add " Sales_Computers" and provide "Allow" rights.

7.      Now select the "Allow login for Marketing " policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Sales_Computers" and provide "Deny" rights.
    b)      Add " Marketing_Computers" and provide "Allow" rights

8.      Run Gpupdate /Force and check.

Again, Please test it before applying in production environment.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question