Mike P said:
We have serveral OU's setup here at work. I was wondering what is the
correct/best way to prevent a user in the Accounting OU from logging in on a
computer in the Finance OU?
There really is no direct way, as OU's are not designed
as "security boundaries" nor as "security principles" and
by default all "users" can logon at all workstations (not
servers.)
This is not really an intended use for OU's but that doesn't
mean you desire to do it is unreasonable.
I have been putting the correct computers in the correct
OU's and thought that this might prevent users from other
OU's from logging in on them.
In fact, there is no necessary reason for users and "their"
computers to even be in the same OU, or for that matter
do they even need to be in the same DOMAIN.
I also tried setting permissions on each individual computer
object but this does not seem to help.
No, that only limits who/what can be done to the AD "objects",
not to the respective computers.
Is this what Group Polocies are for?
Not really but maybe we can "rig" it. Before you do this,
please think through carefully if this is REALLY what you
are trying to accomplish and not just a method that you
expect might reach a more fundamental goal....
You could write a LOGON script, that checked the User
and the Machine against the OU, and the user's groups
against certain "exceptions" (Admins, Backup, Printer, Server
etc operators) and then just LOG them off.
Technically it won't prevent logon, but it reaches the correct
effect.
I don't like it -- it's ugly, and it offends my sense of design
for what I suspect would turn out to be practical reasons
once it underwent tests but on the surface it seems like it
would work to do what you request.
The programmer that gins this together for you will need to
be pretty good at mental simular and testing or you will end
up with some nasty surprises, e.g., does a user have to "in"
the OU, or is a "child" good enough? Or as I hinted above,
who can violate the OU rule? Just admins? What if you
left this out and couldn't logon?
(There are ways around it but it might get ugly.)