Archived from groups: microsoft.public.win2000.security (
More info?)
Ended up writing vbs script. Thanks for your help.
' VBScript source code
Computers = "OU=Testing2,DC=test,DC=com"
users = "OU=Testing,DC=test,DC=com"
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = "Select Name from 'LDAP://" & computers & "' where
objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Timeout") = 30
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
first = false
Do Until objRecordSet.EOF
'Wscript.Echo "Computer Name: " & objRecordSet.Fields("Name").Value
if not first then
list = list & ","
else
first = true
end if
list = list & objRecordSet.Fields("Name").Value
objRecordSet.MoveNext
Loop
objCommand.CommandText = "Select ADsPath from 'LDAP://" & users & "' where
objectClass='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
'Wscript.Echo "User Name: " & objRecordSet.Fields("Name").Value
set MyUser = GetObject(objRecordSet.Fields(0).Value)
MyUser.UserWorkStations = list
MyUser.SetInfo
objRecordSet.MoveNext
Loop
"Steven L Umbach" wrote:
> If you don't want to overwrite local policy for user rights look into using the
> Resource Kit tool ntrights for " SeDenyInteractiveLogonRight " for your group which
> you could try as a startup script for computers in an OU to add to the existing
> defined settings in local policy. The link below explains ntrights more and keep in
> mind that the right you specify is case sensitive. --- Steve
>
> [ ntrights +r SeDenyInteractiveLogonRight -u "mydomain\mygroup" ] would be worth a
> try.
>
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;279664
>
> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> news:0B121246-5479-4C63-B62C-11BBC2B33DD9@microsoft.com...
> > Thanks for your reply, but I don't think overriding all local policies for
> > Deny Logon Local seems to be a very good idea. XP machines all have local
> > guest, support, and ASPNET accounts disabled by default. Other software's
> > may be adding to this also. With over 1500 computers I don't feel like
> > checking them all :-( If local policies where not being already used this
> > would seem the logical method as I stated at first in paragraph 3, but with
> > Microsoft now adding so much stuff to this right out of box I'm very
> > apprehensive to override it. Before XP and .NET there didn't used to be
> > anything in here from local policy but now Microsoft is using it. Giving
> > ASPNET access again would be a violation of what Microsoft is trying to do in
> > this case.
> >
> > I'm still leaning towards adsi script to add all computers in one OU to all
> > user in another OU "Log on To" workstations.
> >
> > Anyone have this script or a better method, or a convincing argument for
> > group policy method both Steven and I have thought of?
> >
> > "Steven L Umbach" wrote:
> >
> >> User rights are strictly computer policy. If you want to restrict users to logon
> >> to
> >> certain group of computers, put those computers in an OU, create a GPO for that OU
> >> and add the global group for those users to the logon locally user right [ along
> >> with
> >> administrators and other allowed users] . Then at the domain level and or other
> >> OU's
> >> add that global group to the deny logon locally user right to the GPO's. Group
> >> Policy
> >> is applied in this order - local>site>domain>OU where the last applied policy is
> >> the
> >> effective policy if settings are defined at multiple levels. I would not worry
> >> about
> >> overriding local policy. It will be much easier to manage policy at domain/OU
> >> evel. --- Steve
> >>
> >>
> >> "JeffJ" <JeffJ@discussions.microsoft.com> wrote in message
> >> news:F4F41598-0B08-41D1-AA8F-2C116E1CD872@microsoft.com...
> >> > I'm looking for a method to restrict what computers a set of users can log on
> >> > to.
> >> > The problems I see are this if I use Account "Log on to".. in Active
> >> > Directory the maintenance will be quite extreme as I will have quite a few
> >> > users in this group and the machines I do want them to sign on to are a
> >> > load-balancing cluster via thin clients with a fairly dynamic number of
> >> > machines in cluster, as we seem to be constantly adding new machines.
> >> >
> >> > If I use Deny Logon Locally in Group policy and then apply to entire domain
> >> > stopping inheritance in OU that has machines to connect to, it overrides all
> >> > local Deny Logon Locally in local policies, which seems to be a very bad idea.
> >> >
> >> > I think what is really needed is a Loop back for Computer portion not just
> >> > User of Group Policy, or Merge instead of replace on Group Policy, or Log on
> >> > to in User part of Group policy or something.
> >> >
> >> > I'm kind of guessing we will have to script with "Log on to", but want to
> >> > know if there is a better answer.
> >> >
> >> > Thanks,
> >> >
> >> > JeffJ
> >> >
> >>
> >>
> >>
>
>
>