General discussion

Locked

Preventing

By philldmc ·
I want to be able to prevent a "Group" in my Active Directory, "Student", from being able to use their log in ID and password to log on to Teachers or administration computer systems.

Is there a way to set this up?

I have 15 lab systems that Iwant to allow the students to log into but how do I lock the other 30 computers on campus from student access. But still allow teachers and admin to freely use the computers?

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Preventing

by philldmc In reply to Preventing

Running W2K Domain with SP3, the Admin computers are XP Pro and the teacher computers are Win9x. The computer lab is WinME.

Collapse -

Preventing

by Mike Mullins In reply to Preventing

If you haven't done so already. Create a Domain Group called "Students" (name is up to you) add the students to this group.

Then under Local Security Settings\Local Policies\User Rights Assignment policy of the machines you don't want them on. Add that Group to the Deny Logon Locally setting.

This will prevent them from logging on locally. You can do this one machine at a time or via policy.

Good Luck,
0bytes

Collapse -

Preventing

by philldmc In reply to Preventing

I am unable to find the Local Security Settings\Local Policies\User Rights Assignment policy on the clients. I also looked under the Computers in the Active Directory and that really didn't help much.

Collapse -

Preventing

by Mike Mullins In reply to Preventing

Settings > Control Panel > Administrative Tools > Local Security Policy or you can use the usrmgr.exe from WINNT: USRMGR.EXE \\computername

0Bytes

Collapse -

Preventing

by philldmc In reply to Preventing

Poster rated this answer

Collapse -

Preventing

by CG IT In reply to Preventing

Both answers #1 and #2 are correct [#1 tells you a simple, easy way to prevent unwanted users from accessing those computers you don't wan them to. #2 really is telling you how to find the local security policies to do what answer #1 suggested.

Collapse -

Preventing

by CG IT In reply to Preventing

I believe answer # 1 assumes that your familiar with using Active Directory and the network admin is conversant with creating group policy to restrict or allow access to network resources for a particular set of users. If not, Microsoft has 260 pageActive Directory operations guide,[split up into two parts] for those not familiar with the ins and outs of using AD. The Windows Resource kit team published it and can be found at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/downloads/adopsgd.asp

It's a comprehensive Guide to using Active Directory.

Collapse -

Preventing

by philldmc In reply to Preventing

Poster rated this answer

Collapse -

Preventing

by Kinetechs In reply to Preventing

Hello!
My suggestion involves using GPOs and OUs in AD.

1) On a Domain Controller, Create two OUs (Organization Units), one for StudentComputers and the other for TeacherComputers.
2) Move the lab PCs into the StudentComputers OU and the 30 other PCs into the TeacherComputers OU.
3) Now, right-click the TeacherComputers OU and select Properties...then the Group Policy tab.
4) Next you'll create a new Group Policy will be linked to this OU. Do this by navigating down the new GP to COMPUTER CONFIGURATION\WINDOWS SETTINGS\SECURITY SETTINGS\LOCAL POLICIES\USER RIGHTS ASSIGNMENT.
5) Double-click the entry for LOG ON LOCALLY. This will open a new window for configuration.
6) Make sure to remove only the USERS group from this setting.Add the individual groups who should have access to the PCs (e.g. teachers, admins, etc.).

If these steps are followed, it will work as requested.

Cheers!
~Sean

Collapse -

Preventing

by philldmc In reply to Preventing

Poster rated this answer

Back to Windows Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums