Prevent all users from any other OUs from logging into Special OU

Discussion in 'Active Directory' started by ejweston, Nov 28, 2006.

  1. ejweston

    ejweston Guest

    Environment:
    AD on 2003
    Multiple OUs
    Of special note: Special XP workstations and users are in the same OU
    ("SpecialOU").

    *******
    How can I prevent all users from any other OUs from logging into
    workstations in OU "SpecialOU"?
    *******

    (For Intellectual Property reasons, I cannot allow users that are not in OU
    "SpecialOU" to log into "SpecialOU" workstations.)

    Needless to say, I'm looking for the simplest solution possible and one that
    will not need continuous modifications as users or workstations are added.

    I don’t mind 3rd party solutions as long as easy to manage and centrally
    managed.

    Please be as specific as you can in suggested courses of action. I do not
    have a high level of AD or group pol expertise.

    Thank you for your time.
     
    ejweston, Nov 28, 2006
    #1
    1. Advertisements

  2. Off the top of my head, create and link a GPO to "SpecialOU". Within that OU
    assign the "Access this computer from the network" and "Log on locally"
    rights to only the users/groups who should be permitted to do so, removing
    "Everyone", "Authenticated Users" and the like.

    HTH

    --
    Laura E. Hunter
    Microsoft MVP: Windows Server - Networking
    Author: _Active Directory Consultant's Field Guide_
    (http://tinyurl.com/7f8ll)
    Author: _Active Directory Cookbook, Second Edition_
    (http://tinyurl.com/z7svl)

    Responses provided as-is; no warranties expressed or implied
     
    Laura E. Hunter [MVP], Nov 28, 2006
    #2
    1. Advertisements

  3. ejweston

    ejweston Guest

    Laura,
    So far that is the best option I have heard. However, I was told by a
    technician that removing "Everyone" and "Authenticated Users" can cause
    problems with how some software operates. Are you aware of that being an
    issue?

    Thank you for your time,
     
    ejweston, Nov 28, 2006
    #3
  4. Authenticated Users isn't in there. EVERYONE, Users, Power Users, Backup
    Operators, ASPNET and Administrators are what's in there by default. That
    might break software that is doing something stupid like using null
    sessions, or is running as the computer and not the user, or something
    equally silly. Generally any application launched from the shell is running
    under your context. Thus, the desired effect is enforced - some users get
    access others don't.

    End result is this is something that will need to be tested properly before
    implementing widely in production.
     
    Paul Williams [MVP], Nov 28, 2006
    #4
  5. ejweston

    Jorge Silva Guest

    Hi
    If your only concern is to deny logon locally, you can configure the "Deny
    Log on locally" security option and that would by enough for denying a
    specific group to logon into a machine or a group of machines.

    Note that you have the options "Log on locally" and ""Deny Log on locally",
    Deny Log on locally option replaces the "Log on locally" in case of conflict
    settings.
    Another important aspect to consider is the OU structure, because if some
    user changes from location you would need to change its group membership
    accordingly, assuming that you want to do this with group membership.
    --
    *************************************************
    I hope that the information above helps you
    Good Luck

    Jorge Silva

    MCSA + Exchange + MSCE
    *************************************************
     
    Jorge Silva, Nov 29, 2006
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.