Solved

Limit logon rights

Posted on 2014-03-10
3
210 Views
Last Modified: 2014-03-10
I would like to limit the right to logon to client workstations based on group membership. For example marketing users should only be able to logon to marketing workstations, sales users to sales workstations etc.

How can I achieve this result without creating an OU for every department?
0
Comment
Question by:albatros99
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39917956
You could split the workstations into separate OUs based on group (Marketing PCs, Sales PCs, etc)

You can then apply a group policy "allow logon locally"

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

have only those members (create a group) have that right.

If you have all your workstations in one OU you can use security filtering and the policies only apply to certain PCs.  In my opinion splitting it up makes it easier to troubleshoot.

Thanks

Mike
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39917966
In AD user account tab you can assign only log onto these computers but that might be just as much work
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 500 total points
ID: 39918308
Hi,

It is highly recommended to use OU to achieve such goals.

Although if you want to manage it without OU. Then please understand the given solution properly and take the proper backup of you domain controllers.

1.      Create 4 Security Groups.
    a)      Sales_Users
    b)      Marketing_Users
    c)      Sales_Computers
    d)      Marketing_Computers

2.      Put all users and machines to their respective group.

3.      Create 2 group policy
    a)      Allow login for Sales
    b)      Allow login for Marketing

4.      Edit "Allow login for Sales"  policy, go to "allow logon locally policy" and add  Sales_Users group.

5.      Edit "Allow login for Marketing"  policy, go to "allow logon locally policy" and add  Marketing_Users group

6.      Now go to "Group policy management console", select the "Allow login for Sales" policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Marketing_Computers" and provide "Deny" rights.
    b)      Add " Sales_Computers" and provide "Allow" rights.

7.      Now select the "Allow login for Marketing " policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Sales_Computers" and provide "Deny" rights.
    b)      Add " Marketing_Computers" and provide "Allow" rights

8.      Run Gpupdate /Force and check.

Again, Please test it before applying in production environment.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now