Re: Restrict computers user in an OU or Group can log on to
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: Mon, 23 Aug 2004 17:25:19 GMT
If you don't want to overwrite local policy for user rights look into using the
Resource Kit tool ntrights for " SeDenyInteractiveLogonRight " for your group which
you could try as a startup script for computers in an OU to add to the existing
defined settings in local policy. The link below explains ntrights more and keep in
mind that the right you specify is case sensitive. --- Steve
[ ntrights +r SeDenyInteractiveLogonRight -u "mydomain\mygroup" ] would be worth a
"JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> Thanks for your reply, but I don't think overriding all local policies for
> Deny Logon Local seems to be a very good idea. XP machines all have local
> guest, support, and ASPNET accounts disabled by default. Other software's
> may be adding to this also. With over 1500 computers I don't feel like
> checking them all :-( If local policies where not being already used this
> would seem the logical method as I stated at first in paragraph 3, but with
> Microsoft now adding so much stuff to this right out of box I'm very
> apprehensive to override it. Before XP and .NET there didn't used to be
> anything in here from local policy but now Microsoft is using it. Giving
> ASPNET access again would be a violation of what Microsoft is trying to do in
> this case.
> I'm still leaning towards adsi script to add all computers in one OU to all
> user in another OU "Log on To" workstations.
> Anyone have this script or a better method, or a convincing argument for
> group policy method both Steven and I have thought of?
> "Steven L Umbach" wrote:
>> User rights are strictly computer policy. If you want to restrict users to logon
>> certain group of computers, put those computers in an OU, create a GPO for that OU
>> and add the global group for those users to the logon locally user right [ along
>> administrators and other allowed users] . Then at the domain level and or other
>> add that global group to the deny logon locally user right to the GPO's. Group
>> is applied in this order - local>site>domain>OU where the last applied policy is
>> effective policy if settings are defined at multiple levels. I would not worry
>> overriding local policy. It will be much easier to manage policy at domain/OU
>> evel. --- Steve
>> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
>> > I'm looking for a method to restrict what computers a set of users can log on
>> > to.
>> > The problems I see are this if I use Account "Log on to".. in Active
>> > Directory the maintenance will be quite extreme as I will have quite a few
>> > users in this group and the machines I do want them to sign on to are a
>> > load-balancing cluster via thin clients with a fairly dynamic number of
>> > machines in cluster, as we seem to be constantly adding new machines.
>> > If I use Deny Logon Locally in Group policy and then apply to entire domain
>> > stopping inheritance in OU that has machines to connect to, it overrides all
>> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
>> > I think what is really needed is a Loop back for Computer portion not just
>> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
>> > to in User part of Group policy or something.
>> > I'm kind of guessing we will have to script with "Log on to", but want to
>> > know if there is a better answer.
>> > Thanks,
>> > JeffJ