Sign in with
Sign up | Sign in
Your question

Restrict users to only certain pc's

Last response: in Windows 2000/NT
Share
Anonymous
December 21, 2004 3:25:02 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

I want to restrict some users so they can only log onto the pc's in their
department.
I know it can be done at each user's properties on the account tab but I was
just wondering if it can be done as a group policy so can add the whole group
at the same time.

Thanks

More about : restrict users

Anonymous
December 21, 2004 2:03:52 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

The closest setting's configurable via group policy which would help you
with this would probably be the user rights assignments for
DenySeInteractiveLogonRight, also known as Deny Interactive Logon.

I would be very cautious about deploying this setting via policy though and
test it prior to putting it into production. When placing an explicit deny,
or implicit deny (as a result of explicit allows minus the user which will
not be allowed) it can be very easy to inadvertantly prevent users access.

You could configure the setting below in a policy linked to the OU which the
department's computers are in. The computers will need Read Allow and Apply
Group Policy Allow permissions.

Setting is:

Computer Configuration-->Windows Settings-->Security Settings-->Local
Policies-->User Rights Assignment. The setting is titled "Deny logon
locally", or alternatively "Allow logon locally" if you decide to engineer
this a little differently.

Please repost if you have any remaining questions.

--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
"MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
news:4470088B-E6C4-4884-9B67-70DE10E36FBF@microsoft.com...
> Hi
>
> I want to restrict some users so they can only log onto the pc's in their
> department.
> I know it can be done at each user's properties on the account tab but I
> was
> just wondering if it can be done as a group policy so can add the whole
> group
> at the same time.
>
> Thanks
>
!