Windows

I'll assume you are running Active Directory. You can limit that particular user to log in only on a particularly assigned computer via log on scripts and Group Policy.

You can block this using port authorisation. The machine will then have to identify itself to the switchport through PEAP or a machine certificate. The switch will then check if the machine has a valid machineaccount in active directory using RADIUS on an ISA server.
Unauthorised machines will not be given network access on the switch.

An even easier way to do that is when you set up the user account in the Active Directory.

As you are inserting the info on your particular client there is an option on the: "Active Directory/User/Properties/Account - in there you'll see a button which says: "initiate session in...". Right there you can lock the user account to only log on into the domain from that specific machine.

Max

Thanks for the replies so far.

I thought I would respond to them all first
Sorry for not posting much background information. I do have a Windows2000 domain. I have a mix of NT and 2k machines in my domain.


Reply (1)
I have over 1000 workstation and 1700 users, not really practical to restrict users to computers.

Even if I wrote a script to export computer names from the domain and imported it to each persons account information, the domain is very dynamtic with new computers being introduced all the time. A better way would be to restrict to OU level, but assuming this could be done I don't this I could apply it beause of the mixed NT/2k environment I have.

Reply (2)
Sounds VERY interesting, need to investigate that more

Reply (3)
Also sounds interesting but I cannot find the "initiate sessions" button ?

I think the person in number (3) is referring to "Log on to.." button. This allows you to specify only the machine that a person is allowed to logon the domain. This you will have to do manually for each person you try to limit access. If you only have a few person you want to restrict then simple job. But if you want to limit for everyone in the domain then it will be tedious. But then again, if you are managing over 1000 clients, you will have at least over 5-10 person doing this. Don't tell me you are alone maintaining 1000 clients. You are not superman you know....

And the next time you create a user account you can then specify exactly the PC he/she can logon.

As far as I know (thinking logically), there is no other way to do this better. The domain server would not know if you are logging in from homePC or office PC if the user gave them the same credentials and if the server does not know which PC is office PC for this user, right?

P/S. i am not suprised if there's other method...anything is possible....

Other things to consider:

1. IP Security. You could deploy a certificate infrastructure and secure all server/client communications to computers with a valid machine certificate. Might be a bit of a headache to start with but it would certainly stop unauthorised access. Win2k server can do this out of the box.
Note: Only administrators can add machine certificates.
2. User policy. There are far more configurable settings with the User Configuration side of group policy, including logon scripts. There is nothing stopping these settings being applied when the user logs on.
3. Secure resources1. You could secure resources (including the ?Access this computer from the network? right) to members of a security group that contains all the authorised computer account objects.
4. Secure resources2. You could secure resources using the Authenticated Users built in group. This would prevent client/client sharing because either the computer or the user would have had to log onto a domain account.
5. Script. You could create a logon script that checks whether or not the computer account exists in Active Directory, if not it simply logs the user off.

HTH,
Tictag.

I think I'm getting nearer an answer from the last person who replied.

I do not wish to rollout a certificate to computers yet. But good option if I had Win2k all round

The option about checking during logon to see if their computer name is in the domain is a good idea. Already have that in place, but as I mentioned in the original question its not them logining into the machine at startup thats my problem. It client to client that of course bypasses the login script process.

However the option about "Restrict access to this computer from...." I did originally look at, however when I browsed through the list to see if I could choose an OU to restrict this right to it did not display any. I have just tried again. But this time I typed in the name of the OU and pressed check. And guess what it found it !!

I will test tommorow, but if that works I've found the answer