Blocking a group of users from logging onto a wkstn.

[Guest]

I have 650 workstations all running win xp pro in a 2000 server environment
I have a group of students I want to block from logging onto certain machines in the network
Can this be done? I have looked through GPOs and tried a few things on the local workstations but I cant seem to get this to work.... any suggestions

 

[Cary Shultz [A.D. MVP]]

Glenn,

Off of the top of my head I am thinking that you might want to limit the
computers on which this group of students can logon. There is a tab in each
user account object's properties ( logon to... ) where you can enter, by
default, eight computer accounts ( IIRC ). These students would then be
limited to logging on to these specific systems.

Does this work for you? If not let me know and I will *think* of another
approach.

Just to make sure - they are logging onto the domain, not the local
computers, correct? And you do not want to limit all 650 of your students,
just this one group of xxx number of students.

What exactly are you trying to accomplish ( smells like denying this group
of students from logging on to these specific computers might not be the
root of the issue..... )?

HTH,

Cary

I have 650 workstations all running win xp pro in a 2000 server environment.
I have a group of students I want to block from logging onto certain machines in the network.
Can this be done? I have looked through GPOs and tried a few things on

the local workstations but I cant seem to get this to work.... any
suggestions?

 

[Herb Martin]

Off of the top of my head I am thinking that you might want to limit the

computers on which this group of students can logon. There is a tab in each
user account object's properties ( logon to... ) where you can enter, by
default, eight computer accounts ( IIRC ). These students would then be
limited to logging on to these specific systems.

This works but is extremely tedious and even ugly. (BTW, I
thought it was up to 10 but who cares.)

My method would be to remove "domain users" from the Users
group of these machines and create another Group "ApprovedUsers"
or "NonStudents" to put back into there.

This should only allow those from the correct group(s) to logon.

 

[Cary Shultz [A.D. MVP]]

Herb,

You just lead me to the thought that I should have initially had.

You are correct - the method that I suggested is very tedious and very ugly.
I was just sorta thinking outloud.

Anyway, you could use Restricted Groups via GPO or you could manually do it
as you suggested...

Looks like I need to eat something so that my brainpower goes up!

Cary

 

[Herb Martin]

Anyway, you could use Restricted Groups via GPO or you could manually do
it

as you suggested...

I like this idea -- I even teach it but no one has yet been able to
give precise instructions on how it would be accomplished
(especially with the GUI.)

Has anyone ever tried to actually USE "restricted groups" from
the domain GPO to specify the membership of a MACHINE
local group?

I tried and I cannot figure out how to do it. The problem is
that the "machine local" groups don't show up on the domain
controller GPO editor when you try to specify the group.

(BTW, I teach about restricted groups too -- I just never
promise they will work from domain to local machine groups.)

Oh, another thing: I am NOT arguing with YOU (Cary), it just
seemed like a good place to get some of you smart people to
figure out a way if I missed it.....<grin>

 

[Guest]

Sorry I guess I should have been more detailed...
I have 650 wkstns, 2500 users, these are all in a domain broken down by each school (12). I want to block all students from logging onto a few specific machines (admin) computers. The student GPO is globally the same for all sites so this would affect all the sites if modified, the same with the teacher GPO. So I was wondering if in active dirrectory users and computers I can elimated say the authenticated users from specific machines in the security tab and just add the teacher group? Or if you can think of any way to accomplish this. I know the brain food I have been eating has not helped me lately except my girth..

Glen

 

[Herb Martin]

--
Herb Martin

Sorry I guess I should have been more detailed...
I have 650 wkstns, 2500 users, these are all in a domain broken down by

each school (12). I want to block all students from logging onto a few
specific machines (admin) computers. The student GPO is globally the same
for all sites so this would affect all the sites if modified, the same with
the teacher GPO.

You can make additional GPOs if we can find an easy way
for you to accomplish the goal.

So I was wondering if in active dirrectory users and computers I can

elimated say the authenticated users from specific machines in the
security tab and just add the teacher group?

No, "Authenticated Users" is an AUTOMATIC group like
Everyone, but essentially this idea is what Cary and I were
discussing for you but using Users membership on the
workstations and a group, either new and existing to
grant the right ONLY to them by adding them to "Users"
and removing the default "Domain Users" from it.

Or if you can think of any way to accomplish this. I know the brain food I

have been eating has not helped me lately except my girth...

We can accomplish it -- by modifying the group memberships,
but it is tedious -- changing each machine so we are trying to
figure out a way to do it with GPOs using the Restricted
Group feature.

 

[Cary Shultz [A.D. MVP]]

Herb,

Do it all the time. There is a MSKB Article that shows you how to do this
for the 'local administrators' group but I do it for Power Users. The trick
is that you have to do the first three parts ( according to the MSKB
Article ) on the DC itself and then do the rest from a WIN2000 Pro system
that has the ADMINPAK installed. You have to use the WIN2000 Pro system as
the reference point. In fact, I just did it two days ago for Power
Users.....

Here is the link:

http://support.microsoft.com/?id=320065

Just remember that you are not restricted to the local Administrators
group...

Herb, no worries. I did not see any 'arguing' at all. We all have our
experiences and perspectives. I might do things one way while you might do
things another way. And Thank God for that! We share our ways and ideas
and maybe we come up with yet a better way! or some tiny improvements on
the way I or you do it! Totally agree about sharing ideas and experiences.
Lord only knows how much I miss!

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Guys,

Sorry that I was MIA last night. Had a lot of work to do after hours at one
of our main clients. My wife called me while I was there to let me know
that our Internet connection was not working and I just now fixed it.

Anyway, I might explore the Restricted Groups method. I posted the link in
my reply to Herb. Here is it again just in case...

http://support.microsoft.com/?id=320065

It might be a way to resolve this for you without having to go through my
first suggestion....Herb is right in that can be very tedious and ugly, even
if you were to use ldifde to help you....

Cary

 

[Herb Martin]

Do it all the time. There is a MSKB Article that shows you how to do this

for the 'local administrators' group but I do it for Power Users. The trick
is that you have to do the first three parts ( according to the MSKB
Article ) on the DC itself and then do the rest from a WIN2000 Pro system
that has the ADMINPAK installed. You have to use the WIN2000 Pro system as
the reference point. In fact, I just did it two days ago for Power
Users.....

Thanks, I doubt if that article is even needed after you explanation.

I never thought of doing it from the Workstation. But it makes perfect
sense.

Here is the link:

http://support.microsoft.com/?id=320065

--
Herb Martin

Herb,


Just remember that you are not restricted to the local Administrators
group...

Herb, no worries. I did not see any 'arguing' at all. We all have our
experiences and perspectives. I might do things one way while you might do
things another way. And Thank God for that! We share our ways and ideas
and maybe we come up with yet a better way! or some tiny improvements on
the way I or you do it! Totally agree about sharing ideas and experiences.
Lord only knows how much I miss!

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Herb,

That is why we are all here! I share a little, you share a little, everyone
else shares a little. Before you know it we all have resolved an issue
that the poster ( whoever that might be ) could not do alone!

Have fun with this. It is really a lot of fun to implement and saves you a
lot of work!

Cary

Do it all the time. There is a MSKB Article that shows you how to do this
for the 'local administrators' group but I do it for Power Users. The trick
is that you have to do the first three parts ( according to the MSKB
Article ) on the DC itself and then do the rest from a WIN2000 Pro system
that has the ADMINPAK installed. You have to use the WIN2000 Pro system as
the reference point. In fact, I just did it two days ago for Power
Users.....

Thanks, I doubt if that article is even needed after you explanation.

I never thought of doing it from the Workstation. But it makes perfect
sense.

Here is the link:

http://support.microsoft.com/?id=320065

--
Herb Martin

Herb,


Just remember that you are not restricted to the local Administrators
group...

Herb, no worries. I did not see any 'arguing' at all. We all have our
experiences and perspectives. I might do things one way while you might do
things another way. And Thank God for that! We share our ways and ideas
and maybe we come up with yet a better way! or some tiny improvements on
the way I or you do it! Totally agree about sharing ideas and experiences.
Lord only knows how much I miss!

HTH,

Cary

manually

 

[Herb Martin]

Have fun with this. It is really a lot of fun to implement and saves you
a

lot of work!

I really do appreciate the "workstation" trick -- I asked on
several of these groups about this issue previously and so
far you are the only one to respond. I doubt it is widely known.

I do use Restricted Groups, the issue was the local machine
groups and on the DCs they never appear for insertion.

 

[Cary Shultz [A.D. MVP]]

Always glad to help where I can! Anytime you are in SW Virginia feel free
to come on over for a little southern cookin! Well, as 'southern' as
someone from Los Angeles can do. But, hey. I have been here for 13 months
now!

Cary