Re: Restrict computers user in an OU or Group can log on to
From: JeffJ (JeffJ_at_discussions.microsoft.com)
Date: 08/23/04
- Next message: Dave: "Re: Personal directory files dissapear"
- Previous message: Laura E. Hunter \(MVP\): "Re: Changing Passwords"
- In reply to: Steven L Umbach: "Re: Restrict computers user in an OU or Group can log on to"
- Next in thread: Steven L Umbach: "Re: Restrict computers user in an OU or Group can log on to"
- Reply: Steven L Umbach: "Re: Restrict computers user in an OU or Group can log on to"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 23 Aug 2004 08:13:48 -0700
Thanks for your reply, but I don't think overriding all local policies for
Deny Logon Local seems to be a very good idea. XP machines all have local
guest, support, and ASPNET accounts disabled by default. Other software’s
may be adding to this also. With over 1500 computers I don't feel like
checking them all :-( If local policies where not being already used this
would seem the logical method as I stated at first in paragraph 3, but with
Microsoft now adding so much stuff to this right out of box I'm very
apprehensive to override it. Before XP and .NET there didn't used to be
anything in here from local policy but now Microsoft is using it. Giving
ASPNET access again would be a violation of what Microsoft is trying to do in
this case.
I'm still leaning towards adsi script to add all computers in one OU to all
user in another OU "Log on To" workstations.
Anyone have this script or a better method, or a convincing argument for
group policy method both Steven and I have thought of?
"Steven L Umbach" wrote:
> User rights are strictly computer policy. If you want to restrict users to logon to
> certain group of computers, put those computers in an OU, create a GPO for that OU
> and add the global group for those users to the logon locally user right [ along with
> administrators and other allowed users] . Then at the domain level and or other OU's
> add that global group to the deny logon locally user right to the GPO's. Group Policy
> is applied in this order - local>site>domain>OU where the last applied policy is the
> effective policy if settings are defined at multiple levels. I would not worry about
> overriding local policy. It will be much easier to manage policy at domain/OU
> evel. --- Steve
>
>
> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
> > I'm looking for a method to restrict what computers a set of users can log on
> > to.
> > The problems I see are this if I use Account "Log on to".. in Active
> > Directory the maintenance will be quite extreme as I will have quite a few
> > users in this group and the machines I do want them to sign on to are a
> > load-balancing cluster via thin clients with a fairly dynamic number of
> > machines in cluster, as we seem to be constantly adding new machines.
> >
> > If I use Deny Logon Locally in Group policy and then apply to entire domain
> > stopping inheritance in OU that has machines to connect to, it overrides all
> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
> >
> > I think what is really needed is a Loop back for Computer portion not just
> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
> > to in User part of Group policy or something.
> >
> > I'm kind of guessing we will have to script with "Log on to", but want to
> > know if there is a better answer.
> >
> > Thanks,
> >
> > JeffJ
> >
>
>
>
- Next message: Dave: "Re: Personal directory files dissapear"
- Previous message: Laura E. Hunter \(MVP\): "Re: Changing Passwords"
- In reply to: Steven L Umbach: "Re: Restrict computers user in an OU or Group can log on to"
- Next in thread: Steven L Umbach: "Re: Restrict computers user in an OU or Group can log on to"
- Reply: Steven L Umbach: "Re: Restrict computers user in an OU or Group can log on to"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
