Restrict computers user in an OU or Group can log on to

Archived from groups: microsoft.public.win2000.security (More info?)

I'm looking for a method to restrict what computers a set of users can log on
to.
The problems I see are this if I use Account “Log on to�.. in Active
Directory the maintenance will be quite extreme as I will have quite a few
users in this group and the machines I do want them to sign on to are a
load-balancing cluster via thin clients with a fairly dynamic number of
machines in cluster, as we seem to be constantly adding new machines.

If I use Deny Logon Locally in Group policy and then apply to entire domain
stopping inheritance in OU that has machines to connect to, it overrides all
local Deny Logon Locally in local policies, which seems to be a very bad idea.

I think what is really needed is a Loop back for Computer portion not just
User of Group Policy, or Merge instead of replace on Group Policy, or Log on
to in User part of Group policy or something.

I'm kind of guessing we will have to script with “Log on to�, but want to
know if there is a better answer.

Thanks,

JeffJ
4 answers Last reply
More about restrict computers user group
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    User rights are strictly computer policy. If you want to restrict users to logon to
    certain group of computers, put those computers in an OU, create a GPO for that OU
    and add the global group for those users to the logon locally user right [ along with
    administrators and other allowed users] . Then at the domain level and or other OU's
    add that global group to the deny logon locally user right to the GPO's. Group Policy
    is applied in this order - local>site>domain>OU where the last applied policy is the
    effective policy if settings are defined at multiple levels. I would not worry about
    overriding local policy. It will be much easier to manage policy at domain/OU
    evel. --- Steve


    "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
    news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
    > I'm looking for a method to restrict what computers a set of users can log on
    > to.
    > The problems I see are this if I use Account "Log on to".. in Active
    > Directory the maintenance will be quite extreme as I will have quite a few
    > users in this group and the machines I do want them to sign on to are a
    > load-balancing cluster via thin clients with a fairly dynamic number of
    > machines in cluster, as we seem to be constantly adding new machines.
    >
    > If I use Deny Logon Locally in Group policy and then apply to entire domain
    > stopping inheritance in OU that has machines to connect to, it overrides all
    > local Deny Logon Locally in local policies, which seems to be a very bad idea.
    >
    > I think what is really needed is a Loop back for Computer portion not just
    > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
    > to in User part of Group policy or something.
    >
    > I'm kind of guessing we will have to script with "Log on to", but want to
    > know if there is a better answer.
    >
    > Thanks,
    >
    > JeffJ
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks for your reply, but I don't think overriding all local policies for
    Deny Logon Local seems to be a very good idea. XP machines all have local
    guest, support, and ASPNET accounts disabled by default. Other software’s
    may be adding to this also. With over 1500 computers I don't feel like
    checking them all :-( If local policies where not being already used this
    would seem the logical method as I stated at first in paragraph 3, but with
    Microsoft now adding so much stuff to this right out of box I'm very
    apprehensive to override it. Before XP and .NET there didn't used to be
    anything in here from local policy but now Microsoft is using it. Giving
    ASPNET access again would be a violation of what Microsoft is trying to do in
    this case.

    I'm still leaning towards adsi script to add all computers in one OU to all
    user in another OU "Log on To" workstations.

    Anyone have this script or a better method, or a convincing argument for
    group policy method both Steven and I have thought of?

    "Steven L Umbach" wrote:

    > User rights are strictly computer policy. If you want to restrict users to logon to
    > certain group of computers, put those computers in an OU, create a GPO for that OU
    > and add the global group for those users to the logon locally user right [ along with
    > administrators and other allowed users] . Then at the domain level and or other OU's
    > add that global group to the deny logon locally user right to the GPO's. Group Policy
    > is applied in this order - local>site>domain>OU where the last applied policy is the
    > effective policy if settings are defined at multiple levels. I would not worry about
    > overriding local policy. It will be much easier to manage policy at domain/OU
    > evel. --- Steve
    >
    >
    > "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
    > news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
    > > I'm looking for a method to restrict what computers a set of users can log on
    > > to.
    > > The problems I see are this if I use Account "Log on to".. in Active
    > > Directory the maintenance will be quite extreme as I will have quite a few
    > > users in this group and the machines I do want them to sign on to are a
    > > load-balancing cluster via thin clients with a fairly dynamic number of
    > > machines in cluster, as we seem to be constantly adding new machines.
    > >
    > > If I use Deny Logon Locally in Group policy and then apply to entire domain
    > > stopping inheritance in OU that has machines to connect to, it overrides all
    > > local Deny Logon Locally in local policies, which seems to be a very bad idea.
    > >
    > > I think what is really needed is a Loop back for Computer portion not just
    > > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
    > > to in User part of Group policy or something.
    > >
    > > I'm kind of guessing we will have to script with "Log on to", but want to
    > > know if there is a better answer.
    > >
    > > Thanks,
    > >
    > > JeffJ
    > >
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    If you don't want to overwrite local policy for user rights look into using the
    Resource Kit tool ntrights for " SeDenyInteractiveLogonRight " for your group which
    you could try as a startup script for computers in an OU to add to the existing
    defined settings in local policy. The link below explains ntrights more and keep in
    mind that the right you specify is case sensitive. --- Steve

    [ ntrights +r SeDenyInteractiveLogonRight -u "mydomain\mygroup" ] would be worth a
    try.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;279664

    "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
    news:0B121246-5479-4C63-B62C-11BBC2B33DD9@microsoft.com...
    > Thanks for your reply, but I don't think overriding all local policies for
    > Deny Logon Local seems to be a very good idea. XP machines all have local
    > guest, support, and ASPNET accounts disabled by default. Other software's
    > may be adding to this also. With over 1500 computers I don't feel like
    > checking them all :-( If local policies where not being already used this
    > would seem the logical method as I stated at first in paragraph 3, but with
    > Microsoft now adding so much stuff to this right out of box I'm very
    > apprehensive to override it. Before XP and .NET there didn't used to be
    > anything in here from local policy but now Microsoft is using it. Giving
    > ASPNET access again would be a violation of what Microsoft is trying to do in
    > this case.
    >
    > I'm still leaning towards adsi script to add all computers in one OU to all
    > user in another OU "Log on To" workstations.
    >
    > Anyone have this script or a better method, or a convincing argument for
    > group policy method both Steven and I have thought of?
    >
    > "Steven L Umbach" wrote:
    >
    >> User rights are strictly computer policy. If you want to restrict users to logon
    >> to
    >> certain group of computers, put those computers in an OU, create a GPO for that OU
    >> and add the global group for those users to the logon locally user right [ along
    >> with
    >> administrators and other allowed users] . Then at the domain level and or other
    >> OU's
    >> add that global group to the deny logon locally user right to the GPO's. Group
    >> Policy
    >> is applied in this order - local>site>domain>OU where the last applied policy is
    >> the
    >> effective policy if settings are defined at multiple levels. I would not worry
    >> about
    >> overriding local policy. It will be much easier to manage policy at domain/OU
    >> evel. --- Steve
    >>
    >>
    >> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
    >> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
    >> > I'm looking for a method to restrict what computers a set of users can log on
    >> > to.
    >> > The problems I see are this if I use Account "Log on to".. in Active
    >> > Directory the maintenance will be quite extreme as I will have quite a few
    >> > users in this group and the machines I do want them to sign on to are a
    >> > load-balancing cluster via thin clients with a fairly dynamic number of
    >> > machines in cluster, as we seem to be constantly adding new machines.
    >> >
    >> > If I use Deny Logon Locally in Group policy and then apply to entire domain
    >> > stopping inheritance in OU that has machines to connect to, it overrides all
    >> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
    >> >
    >> > I think what is really needed is a Loop back for Computer portion not just
    >> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
    >> > to in User part of Group policy or something.
    >> >
    >> > I'm kind of guessing we will have to script with "Log on to", but want to
    >> > know if there is a better answer.
    >> >
    >> > Thanks,
    >> >
    >> > JeffJ
    >> >
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Ended up writing vbs script. Thanks for your help.

    ' VBScript source code
    Computers = "OU=Testing2,DC=test,DC=com"
    users = "OU=Testing,DC=test,DC=com"

    Const ADS_SCOPE_SUBTREE = 2
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand = CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCOmmand.ActiveConnection = objConnection
    objCommand.CommandText = "Select Name from 'LDAP://" & computers & "' where
    objectClass='computer'"
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
    objCommand.Properties("Cache Results") = False
    Set objRecordSet = objCommand.Execute
    objRecordSet.MoveFirst
    first = false
    Do Until objRecordSet.EOF
    'Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
    if not first then
    list = list & ","
    else
    first = true
    end if
    list = list & objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
    Loop

    objCommand.CommandText = "Select ADsPath from 'LDAP://" & users & "' where
    objectClass='user'"
    Set objRecordSet = objCommand.Execute
    objRecordSet.MoveFirst
    Do Until objRecordSet.EOF
    'Wscript.Echo "User Name: " & objRecordSet.Fields("Name").Value
    set MyUser = GetObject(objRecordSet.Fields(0).Value)
    MyUser.UserWorkStations = list
    MyUser.SetInfo
    objRecordSet.MoveNext
    Loop


    "Steven L Umbach" wrote:

    > If you don't want to overwrite local policy for user rights look into using the
    > Resource Kit tool ntrights for " SeDenyInteractiveLogonRight " for your group which
    > you could try as a startup script for computers in an OU to add to the existing
    > defined settings in local policy. The link below explains ntrights more and keep in
    > mind that the right you specify is case sensitive. --- Steve
    >
    > [ ntrights +r SeDenyInteractiveLogonRight -u "mydomain\mygroup" ] would be worth a
    > try.
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;279664
    >
    > "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
    > news:0B121246-5479-4C63-B62C-11BBC2B33DD9@microsoft.com...
    > > Thanks for your reply, but I don't think overriding all local policies for
    > > Deny Logon Local seems to be a very good idea. XP machines all have local
    > > guest, support, and ASPNET accounts disabled by default. Other software's
    > > may be adding to this also. With over 1500 computers I don't feel like
    > > checking them all :-( If local policies where not being already used this
    > > would seem the logical method as I stated at first in paragraph 3, but with
    > > Microsoft now adding so much stuff to this right out of box I'm very
    > > apprehensive to override it. Before XP and .NET there didn't used to be
    > > anything in here from local policy but now Microsoft is using it. Giving
    > > ASPNET access again would be a violation of what Microsoft is trying to do in
    > > this case.
    > >
    > > I'm still leaning towards adsi script to add all computers in one OU to all
    > > user in another OU "Log on To" workstations.
    > >
    > > Anyone have this script or a better method, or a convincing argument for
    > > group policy method both Steven and I have thought of?
    > >
    > > "Steven L Umbach" wrote:
    > >
    > >> User rights are strictly computer policy. If you want to restrict users to logon
    > >> to
    > >> certain group of computers, put those computers in an OU, create a GPO for that OU
    > >> and add the global group for those users to the logon locally user right [ along
    > >> with
    > >> administrators and other allowed users] . Then at the domain level and or other
    > >> OU's
    > >> add that global group to the deny logon locally user right to the GPO's. Group
    > >> Policy
    > >> is applied in this order - local>site>domain>OU where the last applied policy is
    > >> the
    > >> effective policy if settings are defined at multiple levels. I would not worry
    > >> about
    > >> overriding local policy. It will be much easier to manage policy at domain/OU
    > >> evel. --- Steve
    > >>
    > >>
    > >> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
    > >> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
    > >> > I'm looking for a method to restrict what computers a set of users can log on
    > >> > to.
    > >> > The problems I see are this if I use Account "Log on to".. in Active
    > >> > Directory the maintenance will be quite extreme as I will have quite a few
    > >> > users in this group and the machines I do want them to sign on to are a
    > >> > load-balancing cluster via thin clients with a fairly dynamic number of
    > >> > machines in cluster, as we seem to be constantly adding new machines.
    > >> >
    > >> > If I use Deny Logon Locally in Group policy and then apply to entire domain
    > >> > stopping inheritance in OU that has machines to connect to, it overrides all
    > >> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
    > >> >
    > >> > I think what is really needed is a Loop back for Computer portion not just
    > >> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
    > >> > to in User part of Group policy or something.
    > >> >
    > >> > I'm kind of guessing we will have to script with "Log on to", but want to
    > >> > know if there is a better answer.
    > >> >
    > >> > Thanks,
    > >> >
    > >> > JeffJ
    > >> >
    > >>
    > >>
    > >>
    >
    >
    >
Ask a new question

Read More

Policy Computers Windows