Solved

Limit logon rights

Posted on 2014-03-10
3
221 Views
Last Modified: 2014-03-10
I would like to limit the right to logon to client workstations based on group membership. For example marketing users should only be able to logon to marketing workstations, sales users to sales workstations etc.

How can I achieve this result without creating an OU for every department?
0
Comment
Question by:albatros99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39917956
You could split the workstations into separate OUs based on group (Marketing PCs, Sales PCs, etc)

You can then apply a group policy "allow logon locally"

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

have only those members (create a group) have that right.

If you have all your workstations in one OU you can use security filtering and the policies only apply to certain PCs.  In my opinion splitting it up makes it easier to troubleshoot.

Thanks

Mike
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39917966
In AD user account tab you can assign only log onto these computers but that might be just as much work
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 500 total points
ID: 39918308
Hi,

It is highly recommended to use OU to achieve such goals.

Although if you want to manage it without OU. Then please understand the given solution properly and take the proper backup of you domain controllers.

1.      Create 4 Security Groups.
    a)      Sales_Users
    b)      Marketing_Users
    c)      Sales_Computers
    d)      Marketing_Computers

2.      Put all users and machines to their respective group.

3.      Create 2 group policy
    a)      Allow login for Sales
    b)      Allow login for Marketing

4.      Edit "Allow login for Sales"  policy, go to "allow logon locally policy" and add  Sales_Users group.

5.      Edit "Allow login for Marketing"  policy, go to "allow logon locally policy" and add  Marketing_Users group

6.      Now go to "Group policy management console", select the "Allow login for Sales" policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Marketing_Computers" and provide "Deny" rights.
    b)      Add " Sales_Computers" and provide "Allow" rights.

7.      Now select the "Allow login for Marketing " policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Sales_Computers" and provide "Deny" rights.
    b)      Add " Marketing_Computers" and provide "Allow" rights

8.      Run Gpupdate /Force and check.

Again, Please test it before applying in production environment.
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question