Question

Locked

How do I restrict who can log onto a particular system?

By engineer.soldier ·
I have a particular computer on an active directory domain and I need to restrict who can log onto it. I have created some active directory security groups (example: group 1 is Finance, group 2 is Engineers, etc.). I need to restrict all Authenticated Users from logging onto a particular workstation connected to the network. I need only one particular active directory security group to have the ability to log onto this workstation (with their least privilege accounts (not power user or administrator)). Thank you for any assistance/ideas.

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Group Policy / Log on Locally

by Churdoo In reply to How do I restrict who can ...

I would create an OU to hold this computer account(s), move the computer account(s) to the OU, then create a Group Policy on the OU with the Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Log on Locally policy modified to allow only the proper security group (plus Domain Admins as a safety).

Collapse -

Reference OU creation

by engineer.soldier In reply to Group Policy / Log on Loc ...

Thank you, great info. Unfortunately my Domain is CONUS wide and I only have control over the Users, Security Groups and Computers in my OU. I do not have Domain permissions to create any new OUs. Several months? back I had requested an additional OU for another project I was working, but the request was denied (was told that there were already too many OUs in the CONUS wide Forest). I will try to request another OU and see what happens. If any one else has additional ideas I would appreciate their feedback.

Collapse -

Check this

by vsharma In reply to How do I restrict who can ...

hi

open DSA.msc(from run) right click on the Domain name and go to new and make organizational unit name it say vj ,then click on Domain here u will see all the comuters which u have added in ur domain. go to particular computer on which u want to gave acces to a particular Group and move this to Vj OU and then right click on the Vj OU and then go to properties , now go to Group policy tab and make a new GPO and then edit it
go to windows setting\security setting\local policy\user right assignment\ on the right plane u wil see a policy (first policy) Accces this computer from the network . ADD the Particular group u wanna add to this . which will enable to run that particular computer which u have added in VJ OU.

I think it will definately help u .


if u hv any consern or any issue u can contact me

Collapse -

Question

by DrewDizzle In reply to Check this

So I have the same issue. I made the OU and added a few computers. I created the GP and added the user group that I want to have access to this computer. Maybe I am not giving enough time for the GP to update, but I can use a non-priveledged user account to get right in. I have done a GPUPDATE and it still seems to not have any effect.

Collapse -

check affective

by shasca In reply to Question

What does GPRESULT show as the affective policies at the workstation in question? Check and adjust from that point on.

Asking your own question isn't that hard. You don't need to recycle a 2yr old.

Collapse -

OK

by DrewDizzle In reply to check affective

Well not to be harsh..

But what the **** does it matter how old the original question was. I did a search for the answer I was looking for, and this seemed to be it. I replied to it because it looked like it should work, but it wasnt.

Who are you to bag on me for doing what I did.

Thanks for the helpful replies, but why dont you get off your high horse for a while there guy...

Collapse -

There IS another reason

by IC-IT In reply to OK

to start your own question.
As you pointed out the previous answers to the OP's (Original Poster's) were apparently not helpful.
If you received a (new) helpful answer in your own thread, you could mark it as helpful to assist another looking for help.

There is no need for thin skin here. ;-)
By the way was my answer helpful to you?

Collapse -

Yes

by DrewDizzle In reply to There IS another reason

Actually yes, your answer did help. I found the "ALLOW local login" and the "DENY local login". Both are exactly what I was looking for.

Thanks for the help on that. I dont mean to get all pissy, I just didnt think it was necessary for Shasca to say what he did.

Collapse -

Do it this way

by IC-IT In reply to Question

One GPO to deny local logon to all but admins and the user group.

Open the GPO linked to the OU that contains the computers in question.
Open the COMPUTER configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignement.
Here find the key "Log on Locally".
This is the one you want!
Edit it.
In it's window, check "Define this Policy" and then add click on "Add user or group" button. Add the users and groups that you want to be able to log on interactively (that means at the machine). Make sure you include the Administrators group. This will be the admins for the local machine. It does not work without it.

Then if you want those users to only logon to that group of computers;
Open the admin tool AD Computers and Users.
Navigate to the affected Users Group right-click and select properties.
Select the Account Tab and then the Logon to Button.
Add only the computer names that they will be allowed to logon to.

Sometimes it does take a second logon or gpupdate /force to inact the GPO.

Edited due to minor brain flatulation

Collapse -

Simple...but works

by NormH3 In reply to How do I restrict who can ...

I have this same scenario at a client site where I found some people logging in where we didn't want them too. In XP, change the security permissions of "Documents and Settings" to only include users that you want to use the PC. Make sure you remove any previously created profiles of those you want to prohibit. The same can be done in Vista by changing permissions of the "Users" folder.

Back to Windows Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums