Re: Allow/deny log on

• Previous message: Steven L Umbach: "Re: Is it possible to secure replication?"
• In reply to: tperovic: "Re: Allow/deny log on"
• Next in thread: Mohammed A. Raslan: "Re: Allow/deny log on"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 8 Dec 2004 18:46:25 -0600

Yes they are nifty to use for logical organization of objects, for applying
policy to computer/users with like needs, and also for delegation of
authority. You can delegate a lot of administrative tasks to a regular user
over the objects in the OU which allows you to keep the number of
administrators in the domain to a minimum. --- Steve

"tperovic" <tonyperovic@yahoo.com> wrote in message
news:9UJtd.9073$Va5.8337@newsread3.news.atl.earthlink.net...
>I always thought of Organizational Units as Marketing, Accounting,
> Engineering, etc.
> Now I realize that an OU can be "Computers we'll allow operators to logon
> to" or
> "Computers we'll won't allow operators to logon to".
>
> Thanks,
> TP
>
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:etSW5EN3EHA.1152@TK2MSFTNGP14.phx.gbl...
>> No, you can do it via Group Policy. Say you have fifty computers that you
>> only want the operators group to be able to logon to, you can create an
>> OU
>> with a GPO defined with logon locally to include the domain global group
>> operators [and administrators probably]. Move those 50 computers into the
> OU
>> and only those users/group that have the logon locally user right will be
>> able to logon. Or for instance you have a group of computers in an OU and
>> you do not want "operators" group to be able to logon to but all other
>> domain users are okay you could add "operators" group to "deny logon
>> locally" user right for that OU. --- Steve
>>
>>
>> "tperovic" <tonyperovic@yahoo.com> wrote in message
>> news:rUntd.8057$Va5.6410@newsread3.news.atl.earthlink.net...
>> > So, if I want allow members of the group called Operators to log onto
>> > workstation A but not workstation B I must grant the "Log on locally"
>> > right
>> > to Operators in the Local Security Settings on workstation A and "Deny
>> > logon
>> > locally" on workstation B. In other words, such policies cannot be
>> > controlled from the domain controller but must be set at each
> workstation
>> > individually?
>> >
>> > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>> > news:edckt7I3EHA.3756@TK2MSFTNGP14.phx.gbl...
>> >> Use the user right for logon locally in the appropriate security
> policy.
>> >> While you can use Local Security Policy for non domain controllers it
>> >> will
>> >> probably be a lot easier configuring at the Organizational Unit level
> via
>> > a
>> >> GPO created for that OU and moving computer accounts into the OU that
> you
>> >> want that policy to apply to. The user rights are found under security
>> >> settings/local policies/user rights. Keep in mind that if the
> user/group
>> > is
>> >> not in the effective setting for logon locally that is an implicit
>> >> deny
>> > for
>> >> the user. Otherwise you can also use the deny logon locally user right
>> >> but
>> >> remember that administrators are also in the everyone and user groups
> so
>> >> always use care with any deny privileges as they override allow
>> >> privileges
>> >> for user rights. -- Steve
>> >>
>> >>
>> >> "tperovic" <tonyperovic@yahoo.com> wrote in message
>> >> news:XSltd.7991$Va5.6514@newsread3.news.atl.earthlink.net...
>> >> > Hi,
>> >> >
>> >> > Using Windows Server 2003 Active Directory, how do I allow some
>> >> > users
>> >> > or
>> >> > groups to log on to some computers but deny log them from logging on
> to
>> >> > other computers?
>> >> >
>> >> > Thanks
>> >> > TP
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>

• Previous message: Steven L Umbach: "Re: Is it possible to secure replication?"
• In reply to: tperovic: "Re: Allow/deny log on"
• Next in thread: Mohammed A. Raslan: "Re: Allow/deny log on"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]