[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Allowing only certain users to login

Posted on 2014-08-07
9
Medium Priority
?
2,023 Views
Last Modified: 2014-09-08
On a Active Directory domain network is there a way to allow just a group of users to login to a specific machine? If so what is the best way? Step by step instructions would be good. Thanks

2008 server with Windows 7 clients
0
Comment
Question by:Thomas N
8 Comments
 
LVL 29

Accepted Solution

by:
becraig earned 1332 total points
ID: 40246336
The easiest solution would be by denying local login to a specific group through secpol.msc

Run (Win key + R)
secpol.msc - Enter
Expand Security settings
Expand local policies
click on user rights assignment
Double click deny logon locally
Add users or groups you want to deny in that box.

Here is an article and step by step on how to do this with group policy:
http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0
 
LVL 23

Assisted Solution

by:Radhakrishnan R
Radhakrishnan R earned 668 total points
ID: 40246359
Hi Thomas,

Yes, you can do this via GPO but you need to do few steps to achieve this.

1) Create a OU and place the computer on this OU.

2) Create a new GPO from (gpmc>>Group policy objects>>Right click and new)>>Right click and edit the newly created GPO>>Computer Configuration>>Policies>>Windows settings>>Security settings>>Local Policies>>User Rights Assignment>>In the right hand side, Access this computer from network>>Add the appropriate users/groups.

Link this GPO to the OU where the computer resides.

Good luck
0
 

Author Comment

by:Thomas N
ID: 40246410
Thanks guys, so if I create a small group and put them in the allow but they are part of the bigger group that I deny will they still be able to login?

For example: Tom is part of the "everyone" group thats denied but I created a small group "IT" and he is part of that group as well that I allow. Will he still be able to login?

I hope that makes sense.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 29

Assisted Solution

by:becraig
becraig earned 1332 total points
ID: 40246502
Deny privileges override allow privileges.

Your best bet is instead of tinkering with DENY simply have no-one in allow except the groups you want.
Windows uses the concept of implicit deny so if you have explicit permissions declared and a certain user or group is not in allowed as a part of that action then he or she is automatically denied.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40251284
In Active Directory Users and Computer user each user's account you can specify which computers they are allowed to log into.
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 40306644
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 29

Expert Comment

by:becraig
ID: 40306645
is there a way to allow just a group of users to login to a specific machine? If so what is the best way? Step by step instructions would be good
I think the following comments clearly answered the initial question and the follow up questions:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28492693.html#a40246336

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28492693.html#a40246359


Follow up question:
Thanks guys, so if I create a small group and put them in the allow but they are part of the bigger group that I deny will they still be able to login?

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28492693.html#a40246502
0
 
LVL 5

Expert Comment

by:Netminder
ID: 40311334
Force-accepted to close.

Netminder
Senior Admin
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question