Restricting access to certain computers

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have certain computers on my network that I want to restrict who logs on.
I have set a group policy that requires a 12 character minimum password
length but users who have four characters can still log on. The server is
Windows 2000 and the computers are XP. I know that I could go into the user
account and set up what computers to log on to but I have close to 1000 users
and many computers and I want an easier way. Thanks for any help.
3 answers Last reply
More about restricting access computers
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    First problem is that password policies are set at the domain level. So
    your password policy can be either 4 or 12 characters.

    I believe there's a setting in Computer Configuration>Windows Settings>
    Security Settings> Local Policies> User Rights Assignments> Log on locally

    If you add the users to that policy, and place the computers in an OU with
    that policy applied, you'll be able to do what you want... but can Lara,
    Steve, Bruce, or Jerold confirm that I have that right?

    Ken

    "kelmel" <kelmel@discussions.microsoft.com> wrote in message
    news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
    >I have certain computers on my network that I want to restrict who logs on.
    > I have set a group policy that requires a 12 character minimum password
    > length but users who have four characters can still log on. The server is
    > Windows 2000 and the computers are XP. I know that I could go into the
    > user
    > account and set up what computers to log on to but I have close to 1000
    > users
    > and many computers and I want an easier way. Thanks for any help.
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    This seems to be working for me. Thanks!

    "Ken B" wrote:

    > First problem is that password policies are set at the domain level. So
    > your password policy can be either 4 or 12 characters.
    >
    > I believe there's a setting in Computer Configuration>Windows Settings>
    > Security Settings> Local Policies> User Rights Assignments> Log on locally
    >
    > If you add the users to that policy, and place the computers in an OU with
    > that policy applied, you'll be able to do what you want... but can Lara,
    > Steve, Bruce, or Jerold confirm that I have that right?
    >
    > Ken
    >
    > "kelmel" <kelmel@discussions.microsoft.com> wrote in message
    > news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
    > >I have certain computers on my network that I want to restrict who logs on.
    > > I have set a group policy that requires a 12 character minimum password
    > > length but users who have four characters can still log on. The server is
    > > Windows 2000 and the computers are XP. I know that I could go into the
    > > user
    > > account and set up what computers to log on to but I have close to 1000
    > > users
    > > and many computers and I want an easier way. Thanks for any help.
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Ken's on the right track.

    Although the Account Policies (including password length) is in Computer
    Configuration, it applies to user accounts.
    a. Account Policies settings in the Default Domain Policy apply all domain
    user accounts regardless of which computer they happen to logon to; the
    Default Domain Policy is the ONLY place this setting has any affect on
    domain user accounts.
    b. Account Policies settings in some other GPO, apply to all Local User
    Accounts on computers whose computer account is within the scope of that GPO

    This is explained in the Help for Security Settings (Group Policy Editor,
    right click Computer Configuration\Windows Settings\Security
    Settings\Account Policies, select Help, Security Settings\Concepts\Security
    Settings Descriptions\Account Policies)

    You can not apply a password length policy on a user by user basis.

    If you only want some domain user accounts to be able to logon to some
    computers, you can remove the Domain Users group from the local Users group
    on those computers and add a group that has just the user account you want
    to be able to logon. You can do this in a GPO using Restricted Groups -
    however, if you aren't careful, you could prevent anyone from logging on at
    any computer, so make sure you only apply such a GPO to an OU which has only
    the computer accounts you want to apply this to.

    Or, you can do as Ken suggested and set the Logon Locally right to include
    just the group(s) of users you want to be able to logon. Again, test this
    carefully on a few test computers, so you don't shoot yourself in the foot
    (e.g. end up preventing Adminstrators from logging on!)

    --
    Bruce Sanderson MVP

    It's perfectly useless to know the right answer to the wrong question.


    "Ken B" <none@microsoft.com> wrote in message
    news:O2Jcw1hNFHA.3928@TK2MSFTNGP09.phx.gbl...
    > First problem is that password policies are set at the domain level. So
    > your password policy can be either 4 or 12 characters.
    >
    > I believe there's a setting in Computer Configuration>Windows Settings>
    > Security Settings> Local Policies> User Rights Assignments> Log on locally
    >
    > If you add the users to that policy, and place the computers in an OU with
    > that policy applied, you'll be able to do what you want... but can Lara,
    > Steve, Bruce, or Jerold confirm that I have that right?
    >
    > Ken
    >
    > "kelmel" <kelmel@discussions.microsoft.com> wrote in message
    > news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
    >>I have certain computers on my network that I want to restrict who logs
    >>on.
    >> I have set a group policy that requires a 12 character minimum password
    >> length but users who have four characters can still log on. The server
    >> is
    >> Windows 2000 and the computers are XP. I know that I could go into the
    >> user
    >> account and set up what computers to log on to but I have close to 1000
    >> users
    >> and many computers and I want an easier way. Thanks for any help.
    >
    >
Ask a new question

Read More

Policy Computers Microsoft Windows