Solved

Limit logon rights

Posted on 2014-03-10
3
208 Views
Last Modified: 2014-03-10
I would like to limit the right to logon to client workstations based on group membership. For example marketing users should only be able to logon to marketing workstations, sales users to sales workstations etc.

How can I achieve this result without creating an OU for every department?
0
Comment
Question by:albatros99
3 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39917956
You could split the workstations into separate OUs based on group (Marketing PCs, Sales PCs, etc)

You can then apply a group policy "allow logon locally"

http://technet.microsoft.com/en-us/library/ee957044(v=ws.10).aspx

have only those members (create a group) have that right.

If you have all your workstations in one OU you can use security filtering and the policies only apply to certain PCs.  In my opinion splitting it up makes it easier to troubleshoot.

Thanks

Mike
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39917966
In AD user account tab you can assign only log onto these computers but that might be just as much work
0
 
LVL 13

Accepted Solution

by:
Santosh Gupta earned 500 total points
ID: 39918308
Hi,

It is highly recommended to use OU to achieve such goals.

Although if you want to manage it without OU. Then please understand the given solution properly and take the proper backup of you domain controllers.

1.      Create 4 Security Groups.
    a)      Sales_Users
    b)      Marketing_Users
    c)      Sales_Computers
    d)      Marketing_Computers

2.      Put all users and machines to their respective group.

3.      Create 2 group policy
    a)      Allow login for Sales
    b)      Allow login for Marketing

4.      Edit "Allow login for Sales"  policy, go to "allow logon locally policy" and add  Sales_Users group.

5.      Edit "Allow login for Marketing"  policy, go to "allow logon locally policy" and add  Marketing_Users group

6.      Now go to "Group policy management console", select the "Allow login for Sales" policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Marketing_Computers" and provide "Deny" rights.
    b)      Add " Sales_Computers" and provide "Allow" rights.

7.      Now select the "Allow login for Marketing " policy, At right side click on "Delegation" then "Advanced".
    a)      Add " Sales_Computers" and provide "Deny" rights.
    b)      Add " Marketing_Computers" and provide "Allow" rights

8.      Run Gpupdate /Force and check.

Again, Please test it before applying in production environment.
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now