Blocking log-ons to specific computers by specific users

Discussion in 'Active Directory' started by JR Raith, Apr 22, 2009.

  1. JR Raith

    JR Raith Guest

    Hi Again,

    I've been pulling my hair out trying to get a GPO going to block
    specific users from logging in to specific computers, but it just
    doesn't seem to be working. It's a 2003 Server and workstations ranging
    from Win98 to WinXP.

    I've been testing mostly on a Win2k client as that should work most easily.

    It seems ridiculous that I would have to add in every single group to
    the "Deny Local Log-on" policy... I also seem to have trouble figuring
    out where or how to apply a policy to a specific computer.

    Ideally, I'd like to say "Users in Group A are allowed to log on to
    Computer 1; all other users are denied." I'd hate to have to add more
    than a dozen groups or so to the Deny List before setting this up for
    all of the various computers became really, really tedious... Is there a
    better way?

    Thanks and sorry for the newbie question.
    J.R.
     
    JR Raith, Apr 22, 2009
    #1
    1. Advertisements

  2. Hello JR Raith,

    You can go to users properties, Account, Logon to, and then
    specified the computer that you want user to use.

    Second question, to apply policies to specific computer (s), you will have
    to put them in a specifed OU and then apply policies to the OU,
     
    Isaac Oben [MCITP,MCSE], Apr 22, 2009
    #2
    1. Advertisements

  3. JR Raith

    Marcin Guest

    JR,
    this seems to be a popular topic lately - check a similar post from Kim
    dated 4/21.
    In essence, Isaac's advice (and others from the previous post) is likely the
    most efficient approach - although it is intended for scenarios where you
    want to limit number of computers that individual users can use to log on
    interactively - which might not be necessarily what you are trying to
    accomplish.
    If this happens to be the case, you could consider utilizing the "Allow
    logon locallly" user right (rather than "Deny log on locally" by limiting it
    to designated non-privileged group (GroupA in your example) for target
    computers. As I have mentioned earlier, you should review
    http://support.microsoft.com/kb/823659 regarding potential implications -
    and test before applying this change in production. Note though that using
    this method on per-computer basis still introduces considerable management
    overhead (security group filtering plus having a large number of GPOs) - so
    this approach would be more appropriate if you have designated groups of
    computers with groups of users assigned to each...

    hth
    Marcin
     
    Marcin, Apr 23, 2009
    #3
  4. JR Raith

    Marcin Guest

    JR - one more remark - keep in mind that group policies do not apply to
    Windows 98 systems - which actually is another argument for using the method
    recommended by Isaac..

    hth
    Marcin
     
    Marcin, Apr 23, 2009
    #4
  5. Hello JR,

    Use the logon to on the user account properties Account tab. For windows
    98 machines GPO's will not work. I would start to get rid of them.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 26, 2009
    #5
  6. JR Raith

    JR Raith Guest

    Thanks for the help, Marcin et al.

    The ideal scenario would be to create a group which would itself be
    allowed access to log on to specific machines. Then we could add and
    remove users from that group at-will and not have to set policies on an
    individual account basis.

    I found the Logon To dialog for users, but there doesn't seem to be
    something similar for groups. I guess this is where "put the computers
    into an OU and apply policies to that OU" comes in to play...

    Am I just going about this the wrong way?

    We do want to limit the computers that people can log on to, but
    anything more than a couple of dozen users makes setting the Logon To
    dialog annoying. There are only about 15 computers and this number
    rarely changes, so the overhead of GPO maintenance is pretty low, I
    think. We don't need to change many settings... mainly logon to protect
    the instruments that the computers control.

    Thanks again for your help, everyone.
    J.R.
     
    JR Raith, May 5, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.