Access restriction for domain user

Discussion in 'Server Security' started by Simon, Sep 6, 2004.

  1. Simon

    Simon Guest

    I want to set up an access restriction to W2K and W2003 domain users.
    Some users are only allowed to log on the domain from a certain PC.
    Is it possible to specify an IP address or Mac address somewhere in user
    profile?
    Or are there any ways to be able to manage this?

    Any advice would be appreciated.

    Simon
     
    Simon, Sep 6, 2004
    #1
    1. Advertisements

  2. Simon

    Miha Pihler Guest

    Hi Simon,

    There are two settings in Group or Local Policy that should help you out.
    This will keep user away from computer based on user’s permission and based
    on computers policy settings. Set this policy at level that suites you best
    (e.g. OU level).

    Create new policy (or edit existing one) and under Computer Settings ->
    Windows Settings -> Security Settings -> Local Policies -> User Rights
    Assignment.

    Here look for policy "Log on Locally" and "Deny Log on Locally" You can add
    your users that may only logon from certain computers on majority of server
    to "Deny Log on Locally" (to make it easier create a group and add group to
    policy while you add your users to this group).

    Now your users will only be able to log on to domain from computers that
    don't have this policy applied.

    When creating policy make sure you don't lock yourself out.

    Mike
     
    Miha Pihler, Sep 6, 2004
    #2
    1. Advertisements

  3. You could also set the user account property in Active Directory Users and
    Computers to only allow logon to specific computer(s). This does not test
    the OS of the computers you specify though.
     
    Tim Springston [MS], Sep 8, 2004
    #3
  4. Simon

    Miha Pihler Guest

    Hi Tim,

    If I am not mistaken this would require NetBIOS protocol that is not
    installed by default on Windows 2003. Would enabling NetBT also do?

    Mike
     
    Miha Pihler, Sep 8, 2004
    #4
  5. microsoft.public.windows.server.security news group, Miha Pihler <mihap-
    > says...
    NetBIOS is not a protocol, you're thinking of NetBEUI, and NetBEUI is
    not required for the workstation restriction in account properties.
    NetBIOS is, and unless it has been disabled, it is already present.
     
    Paul Adare - MVP - Microsoft Virtual PC, Sep 8, 2004
    #5
  6. Simon

    Miha Pihler Guest

    Yup, my bad ... :). Thank for the help.

    Mike

     
    Miha Pihler, Sep 8, 2004
    #6
  7. Simon

    Simon Guest

    Thanks for your advice.
    I have checked the user account property in Active Directory Users and
    Computers.
    But I can not find out the items concerned.
    Could you please explain more detail?

    Simon
     
    Simon, Sep 9, 2004
    #7
  8. Simon

    Miha Pihler Guest

    Miha Pihler, Sep 9, 2004
    #8
  9. Simon

    Simon Guest

    Thanks for your help!

    Simon
     
    Simon, Sep 12, 2004
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.