Restrict users to only certain pc's

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

I want to restrict some users so they can only log onto the pc's in their
department.
I know it can be done at each user's properties on the account tab but I was
just wondering if it can be done as a group policy so can add the whole group
at the same time.

Thanks
1 answer Last reply
More about restrict users
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    The closest setting's configurable via group policy which would help you
    with this would probably be the user rights assignments for
    DenySeInteractiveLogonRight, also known as Deny Interactive Logon.

    I would be very cautious about deploying this setting via policy though and
    test it prior to putting it into production. When placing an explicit deny,
    or implicit deny (as a result of explicit allows minus the user which will
    not be allowed) it can be very easy to inadvertantly prevent users access.

    You could configure the setting below in a policy linked to the OU which the
    department's computers are in. The computers will need Read Allow and Apply
    Group Policy Allow permissions.

    Setting is:

    Computer Configuration-->Windows Settings-->Security Settings-->Local
    Policies-->User Rights Assignment. The setting is titled "Deny logon
    locally", or alternatively "Allow logon locally" if you decide to engineer
    this a little differently.

    Please repost if you have any remaining questions.

    --

    Tim Springston
    Microsoft Corporation

    This posting is provided "AS IS" with no warranties, and confers no rights.
    "MittonE" <eugenem@transcircuit.com(Do not Spam)> wrote in message
    news:4470088B-E6C4-4884-9B67-70DE10E36FBF@microsoft.com...
    > Hi
    >
    > I want to restrict some users so they can only log onto the pc's in their
    > department.
    > I know it can be done at each user's properties on the account tab but I
    > was
    > just wondering if it can be done as a group policy so can add the whole
    > group
    > at the same time.
    >
    > Thanks
    >
Ask a new question

Read More

Microsoft Active Directory Windows