Sign in with
Sign up | Sign in
Your question

Restrict computers user in an OU or Group can log on to

Tags:
  • Policy
  • Computers
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
August 19, 2004 3:35:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I'm looking for a method to restrict what computers a set of users can log on
to.
The problems I see are this if I use Account “Log on to�.. in Active
Directory the maintenance will be quite extreme as I will have quite a few
users in this group and the machines I do want them to sign on to are a
load-balancing cluster via thin clients with a fairly dynamic number of
machines in cluster, as we seem to be constantly adding new machines.

If I use Deny Logon Locally in Group policy and then apply to entire domain
stopping inheritance in OU that has machines to connect to, it overrides all
local Deny Logon Locally in local policies, which seems to be a very bad idea.

I think what is really needed is a Loop back for Computer portion not just
User of Group Policy, or Merge instead of replace on Group Policy, or Log on
to in User part of Group policy or something.

I'm kind of guessing we will have to script with “Log on to�, but want to
know if there is a better answer.

Thanks,

JeffJ

More about : restrict computers user group log

Anonymous
August 20, 2004 4:16:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

User rights are strictly computer policy. If you want to restrict users to logon to
certain group of computers, put those computers in an OU, create a GPO for that OU
and add the global group for those users to the logon locally user right [ along with
administrators and other allowed users] . Then at the domain level and or other OU's
add that global group to the deny logon locally user right to the GPO's. Group Policy
is applied in this order - local>site>domain>OU where the last applied policy is the
effective policy if settings are defined at multiple levels. I would not worry about
overriding local policy. It will be much easier to manage policy at domain/OU
evel. --- Steve


"JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
> I'm looking for a method to restrict what computers a set of users can log on
> to.
> The problems I see are this if I use Account "Log on to".. in Active
> Directory the maintenance will be quite extreme as I will have quite a few
> users in this group and the machines I do want them to sign on to are a
> load-balancing cluster via thin clients with a fairly dynamic number of
> machines in cluster, as we seem to be constantly adding new machines.
>
> If I use Deny Logon Locally in Group policy and then apply to entire domain
> stopping inheritance in OU that has machines to connect to, it overrides all
> local Deny Logon Locally in local policies, which seems to be a very bad idea.
>
> I think what is really needed is a Loop back for Computer portion not just
> User of Group Policy, or Merge instead of replace on Group Policy, or Log on
> to in User part of Group policy or something.
>
> I'm kind of guessing we will have to script with "Log on to", but want to
> know if there is a better answer.
>
> Thanks,
>
> JeffJ
>
Anonymous
August 23, 2004 12:13:48 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for your reply, but I don't think overriding all local policies for
Deny Logon Local seems to be a very good idea. XP machines all have local
guest, support, and ASPNET accounts disabled by default. Other software’s
may be adding to this also. With over 1500 computers I don't feel like
checking them all :-( If local policies where not being already used this
would seem the logical method as I stated at first in paragraph 3, but with
Microsoft now adding so much stuff to this right out of box I'm very
apprehensive to override it. Before XP and .NET there didn't used to be
anything in here from local policy but now Microsoft is using it. Giving
ASPNET access again would be a violation of what Microsoft is trying to do in
this case.

I'm still leaning towards adsi script to add all computers in one OU to all
user in another OU "Log on To" workstations.

Anyone have this script or a better method, or a convincing argument for
group policy method both Steven and I have thought of?

"Steven L Umbach" wrote:

> User rights are strictly computer policy. If you want to restrict users to logon to
> certain group of computers, put those computers in an OU, create a GPO for that OU
> and add the global group for those users to the logon locally user right [ along with
> administrators and other allowed users] . Then at the domain level and or other OU's
> add that global group to the deny logon locally user right to the GPO's. Group Policy
> is applied in this order - local>site>domain>OU where the last applied policy is the
> effective policy if settings are defined at multiple levels. I would not worry about
> overriding local policy. It will be much easier to manage policy at domain/OU
> evel. --- Steve
>
>
> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
> > I'm looking for a method to restrict what computers a set of users can log on
> > to.
> > The problems I see are this if I use Account "Log on to".. in Active
> > Directory the maintenance will be quite extreme as I will have quite a few
> > users in this group and the machines I do want them to sign on to are a
> > load-balancing cluster via thin clients with a fairly dynamic number of
> > machines in cluster, as we seem to be constantly adding new machines.
> >
> > If I use Deny Logon Locally in Group policy and then apply to entire domain
> > stopping inheritance in OU that has machines to connect to, it overrides all
> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
> >
> > I think what is really needed is a Loop back for Computer portion not just
> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
> > to in User part of Group policy or something.
> >
> > I'm kind of guessing we will have to script with "Log on to", but want to
> > know if there is a better answer.
> >
> > Thanks,
> >
> > JeffJ
> >
>
>
>
Related resources
Anonymous
August 23, 2004 9:25:19 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If you don't want to overwrite local policy for user rights look into using the
Resource Kit tool ntrights for " SeDenyInteractiveLogonRight " for your group which
you could try as a startup script for computers in an OU to add to the existing
defined settings in local policy. The link below explains ntrights more and keep in
mind that the right you specify is case sensitive. --- Steve

[ ntrights +r SeDenyInteractiveLogonRight -u "mydomain\mygroup" ] would be worth a
try.

http://support.microsoft.com/default.aspx?scid=kb;en-us;279664

"JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
news:0B121246-5479-4C63-B62C-11BBC2B33DD9@microsoft.com...
> Thanks for your reply, but I don't think overriding all local policies for
> Deny Logon Local seems to be a very good idea. XP machines all have local
> guest, support, and ASPNET accounts disabled by default. Other software's
> may be adding to this also. With over 1500 computers I don't feel like
> checking them all :-( If local policies where not being already used this
> would seem the logical method as I stated at first in paragraph 3, but with
> Microsoft now adding so much stuff to this right out of box I'm very
> apprehensive to override it. Before XP and .NET there didn't used to be
> anything in here from local policy but now Microsoft is using it. Giving
> ASPNET access again would be a violation of what Microsoft is trying to do in
> this case.
>
> I'm still leaning towards adsi script to add all computers in one OU to all
> user in another OU "Log on To" workstations.
>
> Anyone have this script or a better method, or a convincing argument for
> group policy method both Steven and I have thought of?
>
> "Steven L Umbach" wrote:
>
>> User rights are strictly computer policy. If you want to restrict users to logon
>> to
>> certain group of computers, put those computers in an OU, create a GPO for that OU
>> and add the global group for those users to the logon locally user right [ along
>> with
>> administrators and other allowed users] . Then at the domain level and or other
>> OU's
>> add that global group to the deny logon locally user right to the GPO's. Group
>> Policy
>> is applied in this order - local>site>domain>OU where the last applied policy is
>> the
>> effective policy if settings are defined at multiple levels. I would not worry
>> about
>> overriding local policy. It will be much easier to manage policy at domain/OU
>> evel. --- Steve
>>
>>
>> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
>> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
>> > I'm looking for a method to restrict what computers a set of users can log on
>> > to.
>> > The problems I see are this if I use Account "Log on to".. in Active
>> > Directory the maintenance will be quite extreme as I will have quite a few
>> > users in this group and the machines I do want them to sign on to are a
>> > load-balancing cluster via thin clients with a fairly dynamic number of
>> > machines in cluster, as we seem to be constantly adding new machines.
>> >
>> > If I use Deny Logon Locally in Group policy and then apply to entire domain
>> > stopping inheritance in OU that has machines to connect to, it overrides all
>> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
>> >
>> > I think what is really needed is a Loop back for Computer portion not just
>> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
>> > to in User part of Group policy or something.
>> >
>> > I'm kind of guessing we will have to script with "Log on to", but want to
>> > know if there is a better answer.
>> >
>> > Thanks,
>> >
>> > JeffJ
>> >
>>
>>
>>
Anonymous
August 25, 2004 7:33:01 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Ended up writing vbs script. Thanks for your help.

' VBScript source code
Computers = "OU=Testing2,DC=test,DC=com"
users = "OU=Testing,DC=test,DC=com"

Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = "Select Name from 'LDAP://" & computers & "' where
objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
first = false
Do Until objRecordSet.EOF
'Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
if not first then
list = list & ","
else
first = true
end if
list = list & objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop

objCommand.CommandText = "Select ADsPath from 'LDAP://" & users & "' where
objectClass='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
'Wscript.Echo "User Name: " & objRecordSet.Fields("Name").Value
set MyUser = GetObject(objRecordSet.Fields(0).Value)
MyUser.UserWorkStations = list
MyUser.SetInfo
objRecordSet.MoveNext
Loop


"Steven L Umbach" wrote:

> If you don't want to overwrite local policy for user rights look into using the
> Resource Kit tool ntrights for " SeDenyInteractiveLogonRight " for your group which
> you could try as a startup script for computers in an OU to add to the existing
> defined settings in local policy. The link below explains ntrights more and keep in
> mind that the right you specify is case sensitive. --- Steve
>
> [ ntrights +r SeDenyInteractiveLogonRight -u "mydomain\mygroup" ] would be worth a
> try.
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;279664
>
> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> news:0B121246-5479-4C63-B62C-11BBC2B33DD9@microsoft.com...
> > Thanks for your reply, but I don't think overriding all local policies for
> > Deny Logon Local seems to be a very good idea. XP machines all have local
> > guest, support, and ASPNET accounts disabled by default. Other software's
> > may be adding to this also. With over 1500 computers I don't feel like
> > checking them all :-( If local policies where not being already used this
> > would seem the logical method as I stated at first in paragraph 3, but with
> > Microsoft now adding so much stuff to this right out of box I'm very
> > apprehensive to override it. Before XP and .NET there didn't used to be
> > anything in here from local policy but now Microsoft is using it. Giving
> > ASPNET access again would be a violation of what Microsoft is trying to do in
> > this case.
> >
> > I'm still leaning towards adsi script to add all computers in one OU to all
> > user in another OU "Log on To" workstations.
> >
> > Anyone have this script or a better method, or a convincing argument for
> > group policy method both Steven and I have thought of?
> >
> > "Steven L Umbach" wrote:
> >
> >> User rights are strictly computer policy. If you want to restrict users to logon
> >> to
> >> certain group of computers, put those computers in an OU, create a GPO for that OU
> >> and add the global group for those users to the logon locally user right [ along
> >> with
> >> administrators and other allowed users] . Then at the domain level and or other
> >> OU's
> >> add that global group to the deny logon locally user right to the GPO's. Group
> >> Policy
> >> is applied in this order - local>site>domain>OU where the last applied policy is
> >> the
> >> effective policy if settings are defined at multiple levels. I would not worry
> >> about
> >> overriding local policy. It will be much easier to manage policy at domain/OU
> >> evel. --- Steve
> >>
> >>
> >> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> >> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
> >> > I'm looking for a method to restrict what computers a set of users can log on
> >> > to.
> >> > The problems I see are this if I use Account "Log on to".. in Active
> >> > Directory the maintenance will be quite extreme as I will have quite a few
> >> > users in this group and the machines I do want them to sign on to are a
> >> > load-balancing cluster via thin clients with a fairly dynamic number of
> >> > machines in cluster, as we seem to be constantly adding new machines.
> >> >
> >> > If I use Deny Logon Locally in Group policy and then apply to entire domain
> >> > stopping inheritance in OU that has machines to connect to, it overrides all
> >> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
> >> >
> >> > I think what is really needed is a Loop back for Computer portion not just
> >> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
> >> > to in User part of Group policy or something.
> >> >
> >> > I'm kind of guessing we will have to script with "Log on to", but want to
> >> > know if there is a better answer.
> >> >
> >> > Thanks,
> >> >
> >> > JeffJ
> >> >
> >>
> >>
> >>
>
>
>
!