Sign in with
Sign up | Sign in
Your question

Restricting access to certain computers

Last response: in Windows 2000/NT
Share
Anonymous
March 31, 2005 11:51:10 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have certain computers on my network that I want to restrict who logs on.
I have set a group policy that requires a 12 character minimum password
length but users who have four characters can still log on. The server is
Windows 2000 and the computers are XP. I know that I could go into the user
account and set up what computers to log on to but I have close to 1000 users
and many computers and I want an easier way. Thanks for any help.
Anonymous
March 31, 2005 5:14:09 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

First problem is that password policies are set at the domain level. So
your password policy can be either 4 or 12 characters.

I believe there's a setting in Computer Configuration>Windows Settings>
Security Settings> Local Policies> User Rights Assignments> Log on locally

If you add the users to that policy, and place the computers in an OU with
that policy applied, you'll be able to do what you want... but can Lara,
Steve, Bruce, or Jerold confirm that I have that right?

Ken

"kelmel" <kelmel@discussions.microsoft.com> wrote in message
news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
>I have certain computers on my network that I want to restrict who logs on.
> I have set a group policy that requires a 12 character minimum password
> length but users who have four characters can still log on. The server is
> Windows 2000 and the computers are XP. I know that I could go into the
> user
> account and set up what computers to log on to but I have close to 1000
> users
> and many computers and I want an easier way. Thanks for any help.
Anonymous
March 31, 2005 5:14:10 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

This seems to be working for me. Thanks!

"Ken B" wrote:

> First problem is that password policies are set at the domain level. So
> your password policy can be either 4 or 12 characters.
>
> I believe there's a setting in Computer Configuration>Windows Settings>
> Security Settings> Local Policies> User Rights Assignments> Log on locally
>
> If you add the users to that policy, and place the computers in an OU with
> that policy applied, you'll be able to do what you want... but can Lara,
> Steve, Bruce, or Jerold confirm that I have that right?
>
> Ken
>
> "kelmel" <kelmel@discussions.microsoft.com> wrote in message
> news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
> >I have certain computers on my network that I want to restrict who logs on.
> > I have set a group policy that requires a 12 character minimum password
> > length but users who have four characters can still log on. The server is
> > Windows 2000 and the computers are XP. I know that I could go into the
> > user
> > account and set up what computers to log on to but I have close to 1000
> > users
> > and many computers and I want an easier way. Thanks for any help.
>
>
>
Anonymous
March 31, 2005 5:16:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ken's on the right track.

Although the Account Policies (including password length) is in Computer
Configuration, it applies to user accounts.
a. Account Policies settings in the Default Domain Policy apply all domain
user accounts regardless of which computer they happen to logon to; the
Default Domain Policy is the ONLY place this setting has any affect on
domain user accounts.
b. Account Policies settings in some other GPO, apply to all Local User
Accounts on computers whose computer account is within the scope of that GPO

This is explained in the Help for Security Settings (Group Policy Editor,
right click Computer Configuration\Windows Settings\Security
Settings\Account Policies, select Help, Security Settings\Concepts\Security
Settings Descriptions\Account Policies)

You can not apply a password length policy on a user by user basis.

If you only want some domain user accounts to be able to logon to some
computers, you can remove the Domain Users group from the local Users group
on those computers and add a group that has just the user account you want
to be able to logon. You can do this in a GPO using Restricted Groups -
however, if you aren't careful, you could prevent anyone from logging on at
any computer, so make sure you only apply such a GPO to an OU which has only
the computer accounts you want to apply this to.

Or, you can do as Ken suggested and set the Logon Locally right to include
just the group(s) of users you want to be able to logon. Again, test this
carefully on a few test computers, so you don't shoot yourself in the foot
(e.g. end up preventing Adminstrators from logging on!)

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Ken B" <none@microsoft.com> wrote in message
news:o 2Jcw1hNFHA.3928@TK2MSFTNGP09.phx.gbl...
> First problem is that password policies are set at the domain level. So
> your password policy can be either 4 or 12 characters.
>
> I believe there's a setting in Computer Configuration>Windows Settings>
> Security Settings> Local Policies> User Rights Assignments> Log on locally
>
> If you add the users to that policy, and place the computers in an OU with
> that policy applied, you'll be able to do what you want... but can Lara,
> Steve, Bruce, or Jerold confirm that I have that right?
>
> Ken
>
> "kelmel" <kelmel@discussions.microsoft.com> wrote in message
> news:A353BEEE-9D38-44FA-956C-B7543AEDAAAE@microsoft.com...
>>I have certain computers on my network that I want to restrict who logs
>>on.
>> I have set a group policy that requires a 12 character minimum password
>> length but users who have four characters can still log on. The server
>> is
>> Windows 2000 and the computers are XP. I know that I could go into the
>> user
>> account and set up what computers to log on to but I have close to 1000
>> users
>> and many computers and I want an easier way. Thanks for any help.
>
>
!