workstation access by group

G

Guest

I have a very simple question but i cant seem to figure it out.

I want to use group policy to apply to a group of users so they can only
login to a group of computers.

I have a small group of computers that i only want one group of users to be
able to login and keep other domain users off the machines.

aka accounting users...to be able to login to accounting machines only
Nobody else should be able to login
Accounting users shouldnt be able to login to other machines as well.

WHat is the best way to do this? I cant seem to find a solution and it seems
like an easy thing to do.
 
F

Florian Frommherz [MVP]

Howdie!
I have a very simple question but i cant seem to figure it out.

I want to use group policy to apply to a group of users so they can only
login to a group of computers.

I have a small group of computers that i only want one group of users to be
able to login and keep other domain users off the machines.

aka accounting users...to be able to login to accounting machines only
Nobody else should be able to login
Accounting users shouldnt be able to login to other machines as well.
Click to expand...

Two steps here: Group those machines that shall only allow logins from a
certain group into a OU and apply the following policy:

CompConf\Windows Settings\Security Settings\Local Policies\User Rights
Assignment - "Allow Log on locally".

This lists the users and group allowed to log on locally at the
machines. Add your group in there and wipe all other users out (but
leave your Admins group in there in order to not lock yourself out).

Second: get your accounting users and modify their "Log on to" attribute
through Active Directory Users and Computers Properties.

cheers,

Florian
 
G

Guest

Thank you Florian!

I knew it was simple.

will i have to go in and change local policy on each machine to remove the
existing accounts?
I assume group policy will override anything in local policy and not "merge"
with local policy correct?

Right now my GPO limits log on locally to administrators / domain admins and
the accounting group. Will this over ride the local policy on each machine
limiting the logins to just these 3 specific user objects or will it merge
with the default local policy for log on locally?
 
F

Florian Frommherz [MVP]

Howdie!
Right now my GPO limits log on locally to administrators / domain admins and
the accounting group. Will this over ride the local policy on each machine
limiting the logins to just these 3 specific user objects or will it merge
with the default local policy for log on locally?
Click to expand...

It (the AD-policy) will definately overwrite the local policy. It the
principle that you, as the Active Directory Group Policy Administrator
should have more "power" than local administrators and therefore
"replace" settings made locally.

cheers,

Florian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy executes prior User login script execute 4
Access User Login form in Access with Ristriction 0
limit domain user login to specific group on 2 xp machines 2
Limit domain login to Administrator Group 1
URGENT! Denied Logins, need to reset over Slow Link 1
locking users out of all domain workstations 1
group policy "User Settings" ignored 4
Force default printer through group policy 6

Top