better way to limit users/group to logon to specific workstations?
baileyk9
We limit a set of user accounts to logging on to specific workstations by
using the "Logon Workstations" property of each of those user accounts.
Seeking advice on a more manageable solution - using GPOs, and/or
restructuring our OU's for these resources if necessary.
scenario: 15-20 user accounts, and 50-60 workstations that they can log on
to (10-20 per user account, but it would be OK to give them access to all
50-60 workstations, since they are at different locations and will never be
able to log on to those outside their site anyway). Managing this is a mess
as the list of PCs they can log on to changes (PCs are added to or removed
from service).
Seems like putting all the restricted users in one OU, with the restricted
computers that they can access in another OU, and limit their access via
group policy? I understand GPOs, but don't know what GPO to use/create or if
this is the best approach.
Any ideas greatly appreciated!!
<>
Anthony
You can control who can log on to a computer with the User Rights Assignment
setting, Log on Locally. This is a computer policy, and by default includes
the local group Users, which by default in a domain contains domain users.
You can remove Users, and add whatever group you want. Or you can control
membership of the local group Users.
Apply this policy to an OU where the computers are. You can either create a
dedicated OU, or you can contol which computers the policy applies to by
editing the Security of the Group Policy Object. By default it is read and
applied by Authenticated Users, which includes all computers. In the policy
Security tab, you can remote (or uncheck) Authenticated Users and add the
computer group you want the policy to apply to.
Hope that helps,
Anthony, http://www.airdesk.co.uk
"baileyk9" <bail...@discussions.microsoft.com> wrote in message
news:1D714436-E9E3-4A44...@microsoft.com...
Florian Frommherz [MVP]
baileyk9 schrieb:
> Is there a better way to do this:
> We limit a set of user accounts to logging on to specific workstations by
> using the "Logon Workstations" property of each of those user accounts.
> Seeking advice on a more manageable solution - using GPOs, and/or
> restructuring our OU's for these resources if necessary.
>
> scenario: 15-20 user accounts, and 50-60 workstations that they can log on
> to (10-20 per user account, but it would be OK to give them access to all
> 50-60 workstations, since they are at different locations and will never be
> able to log on to those outside their site anyway). Managing this is a mess
> as the list of PCs they can log on to changes (PCs are added to or removed
> from service).
Best thing would be, if you could group the machines in OUs and the
users that access it by security groups. That way, you could easily work
with Anthony's suggestion, linking a Group Policy to the machine's OU
and assign the "Allow log on locally" right to the security group you
created for the appropritate users:
CompConf\Security Settings\Local Policies\User Rights Assignment\
You then need to remove the "Authenticated Users" from the list. Be sure
to keep an option for you and your IT guys to log on to those machines.
...and beware of the "Deny log on locally" policy. I've seen many people
locking themselves out with that. Best thing is you better leave it
alone and work with "Allow log on locally" as described.
cheers,
Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
baileyk9
Your solution is a valid approach, however, we're really hoping to do this
based on the user account, instead of messing with local policy on all our
(other) machines. We're not trying to secure a subset of machines (your
solution perfect for that), we're trying to limit a subset of users to a
subset of PCs (that anyone else can still also log on to).
In other words, instead of: "here's a set of machines and only these
accounts can log on to them" (the way I read your solution),
we want: "here's a set of accounts and they can only logon to these
machines" .
Basically, we want the equivalent approach to the user account "Logon
Workstations" attribute - applying to the user accounts (or group or OU)
instead of the computers themselves, except using GPO instead of the account
properties.
??
thanks
>< Bailey
Anthony
logon locally setting, and apply it to all computers except the ones you
want them to log on to. You would apply this policy to all computers, but
in the Security tab of the policy you would Deny the policy to the group of
computers that you wanted them to be able to log on to. So the Deny policy
will be denied to them. Make sure you test in a Test OU with test account
and test computer!
Following your own idea, you could also script it by maintaining a list of
allowed computers and writing them to that AD Account field. You could
administer it by maintaining membership of a group of computers and a group
of users, then in the script "unpacking" the group membership. It sounds a
very cumbersome process though. You need it to apply to a group of users,
but you would need to run it so that it takes effect whenever you change the
list of users or the list of computers.
"baileyk9" <bail...@discussions.microsoft.com> wrote in message
news:6D230D93-88A2-4F91...@microsoft.com...
Florian Frommherz [MVP]
baileyk9 schrieb:
> In other words, instead of: "here's a set of machines and only these
> accounts can log on to them" (the way I read your solution),
> we want: "here's a set of accounts and they can only logon to these
> machines" .
You would need to script that. You can do it two ways:
(1) Write a script that would overwrite the users' "Log on locally"
attribute in Active Directory and replace it with the value(s) of the
machines you want. I don't know what the attribute is called in what
format the information is stored - but that could do the trick
(2) Create a startup script in which you get the user's name, enumerate
the user's group (ifmember.exe will help) and then determine, whether he
may log on to that machine. If not, log him/her out right away.
To be honest, I don't like those solutions. I wouldn't know another way
than those two. So if no one else has an idea on this, you'll have to
choose between them.
baileyk9
excellent information and I appreciate the input.
Looks like there's no "silver bullet" - not going to be as easy or elegant
as I'd hoped. Makes us consider continuing witht the original headache (the
"Log on to..." attribute of the user account). But I will test your
approach(es) and see where we end up. Either way, I've been educated!
thanks much!
<> Bailey
"Florian Frommherz [MVP]" wrote:
> Howdie!
>
> baileyk9 schrieb:
> > Is there a better way to do this:
> > We limit a set of user accounts to logging on to specific workstations by
> > using the "Logon Workstations" property of each of those user accounts.
> > Seeking advice on a more manageable solution - using GPOs, and/or
> > restructuring our OU's for these resources if necessary.
> >
> > scenario: 15-20 user accounts, and 50-60 workstations that they can log on
> > to (10-20 per user account, but it would be OK to give them access to all
> > 50-60 workstations, since they are at different locations and will never be
> > able to log on to those outside their site anyway). Managing this is a mess
> > as the list of PCs they can log on to changes (PCs are added to or removed
> > from service).
>
> Best thing would be, if you could group the machines in OUs and the
> users that access it by security groups. That way, you could easily work
> with Anthony's suggestion, linking a Group Policy to the machine's OU
> and assign the "Allow log on locally" right to the security group you
> created for the appropritate users:
>
> CompConf\Security Settings\Local Policies\User Rights Assignment\
>
> You then need to remove the "Authenticated Users" from the list. Be sure
> to keep an option for you and your IT guys to log on to those machines.
>
> ....and beware of the "Deny log on locally" policy. I've seen many people
Anthony
Anthony, http://www.airdesk.co.uk
"baileyk9" <bail...@discussions.microsoft.com> wrote in message
news:5AE6B2BA-B9BB-44FE...@microsoft.com...