Question about Computers and OUs

G

Guest

We have serveral OU's setup here at work. I was wondering what is the correct/best way to prevent a user in the Accounting OU from logging in on a computer in the Finance OU? I have been putting the correct computers in the correct OU's and thought that this might prevent users from other OU's from logging in on them. I also tried setting permissions on each individual computer object but this does not seem to help. Is this what Group Polocies are for

Sorry for the dumb questions, Ive been reading as much as I can but I have a short deadline

Thanks.
 
M

Matjaz Ladava [MVP]

OU structure won't prevent your users to logon to computers in different OU.
OU's are only for organizational purpose. What you could do is to create a
group policy on your Accounting OU that holds computers from Accounting
department, and define Allow logon locally right only to group of users that
should have access to those computers.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
H

Herb Martin

Mike P said:
We have serveral OU's setup here at work. I was wondering what is the
Click to expand...
correct/best way to prevent a user in the Accounting OU from logging in on a
computer in the Finance OU?

There really is no direct way, as OU's are not designed
as "security boundaries" nor as "security principles" and
by default all "users" can logon at all workstations (not
servers.)

This is not really an intended use for OU's but that doesn't
mean you desire to do it is unreasonable.
I have been putting the correct computers in the correct
Click to expand...
OU's and thought that this might prevent users from other
OU's from logging in on them.

In fact, there is no necessary reason for users and "their"
computers to even be in the same OU, or for that matter
do they even need to be in the same DOMAIN.
I also tried setting permissions on each individual computer
Click to expand...
object but this does not seem to help.

No, that only limits who/what can be done to the AD "objects",
not to the respective computers.
Is this what Group Polocies are for?
Click to expand...

Not really but maybe we can "rig" it. Before you do this,
please think through carefully if this is REALLY what you
are trying to accomplish and not just a method that you
expect might reach a more fundamental goal....

You could write a LOGON script, that checked the User
and the Machine against the OU, and the user's groups
against certain "exceptions" (Admins, Backup, Printer, Server
etc operators) and then just LOG them off.

Technically it won't prevent logon, but it reaches the correct
effect.

I don't like it -- it's ugly, and it offends my sense of design
for what I suspect would turn out to be practical reasons
once it underwent tests but on the surface it seems like it
would work to do what you request.

The programmer that gins this together for you will need to
be pretty good at mental simular and testing or you will end
up with some nasty surprises, e.g., does a user have to "in"
the OU, or is a "child" good enough? Or as I hinted above,
who can violate the OU rule? Just admins? What if you
left this out and couldn't logon?

(There are ways around it but it might get ugly.)
 
H

Herb Martin

Matjaz Ladava said:
OU structure won't prevent your users to logon to computers in different OU.
OU's are only for organizational purpose. What you could do is to create a
group policy on your Accounting OU that holds computers from Accounting
department, and define Allow logon locally right only to group of users that
should have access to those computers.
Click to expand...

You slipped a "group" in there -- Groups are much more
straightforward to use for this purpose as they are security
principles, and can be granted rights directly.

There is no (built-in) mechanism for keeping the users within
an OU in a specific Group automatically. You can of course
do that manually, but if you move a user in or out, that
relationship must be maintained either manually or through
a script.

I am not saying you cannot do it with your approach, but notice
that it isn't directly through the OU, but relies on groups etc.
 
M

Matjaz Ladava [MVP]

As I understood, he wants to prevent users from Accounting OU to log into
computers in Finance OU. All he needs to do is to create GPO on OU with
Finance computers that had Deny Logon locally right. With this users in
accounting OU won't be able to logon to Finance computers.
Or I missed the point ;-) ?


--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
M

Matjaz Ladava [MVP]

It is a common thing ;-). If you need help with setting up GPO's just let me
know.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
H

Herb Martin

Matjaz Ladava said:
As I understood, he wants to prevent users from Accounting OU to log into
computers in Finance OU. All he needs to do is to create GPO on OU with
Finance computers that had Deny Logon locally right. With this users in
accounting OU won't be able to logon to Finance computers.
Or I missed the point ;-) ?
Click to expand...

Or I am missing your actual method.

Ok, so we link the GPO to the Finance (computer) OU, right?
How do we get it to apply to ONLY the "Accounting OU users"?

The only way I see is by creating a parallel Group, not by using
the Accounting OU directly. Then use permissions -- apply policy--
to only affect that Group. This still has to give us a way to "Deny Logon"
so is this "User settings" (not computer) in the Policy?

Where's it get set? (specifically?) It's got to be in the User settings or
the
Permission idea want work, right?
 
M

Matjaz Ladava [MVP]

You set this policy on computer objects residing in Accounting OU (Computer
Settings/Windows Settings/Security Settings/Local Policies/User Rights
Assignment/Allow Logon locally). As I believe I was always talking about
policy applying on computer objects not user objects in Accounting/Finance
OU.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
M

Matjaz Ladava [MVP]

Yes. Beneath Accounting OU create OU Computers and define policy there. The
policy itself resides in
Computer Configuration/Windows Settings/Security Settings/Local
Policies/User Rights Assignment/Allow Logon Locally and Deny Logon locally
(if you wish to be inclusive).

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
M

Matjaz Ladava [MVP]

Sure Mike, no problem. Policies need some time to apply. On clients policies
are aplied every 90 min by default.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

OU question ??- 2
Organize Computers In Active Directory 6
Permissions needed to move computer objects from default OU's 2
Groups and OU's 3
tying users to OUs with an attribute 1
LDIFDE question 4
Security Groups in OUs 4
Group Policy Question HELP! 4

Top