Locking a user down to a single computer!

Q

QBob

Hi, thanks for reading. I am looking for some advice on locking a user down
to a single computer using GP or any other method; within a domain. The
user needs accesss to email, internet and network shares so I am a little
limited in how locked down I can make the user. I would like to do this
within a seperate OU and not affect my entire domain by locking the person
out of every PC at the domain level and then allowing through at a lower
level, but am open to all ideas. My network is a Windows 2000 network with
multiple DCs. Thanks!
 
P

Pegasus \(MVP\)

QBob said:
Hi, thanks for reading. I am looking for some advice on locking a user down
to a single computer using GP or any other method; within a domain. The
user needs accesss to email, internet and network shares so I am a little
limited in how locked down I can make the user. I would like to do this
within a seperate OU and not affect my entire domain by locking the person
out of every PC at the domain level and then allowing through at a lower
level, but am open to all ideas. My network is a Windows 2000 network with
multiple DCs. Thanks!
Click to expand...

Here is a quick and dirty way. Insert the following line into the logon
script:

if /i "%UserName%"=="JSmith" if /i not "%ComputerName%"=="PC10"
c:\tools\shutdown.exe /L

There are various versions of shutdown.exe: one with WinXP, some freely
downloadable. The "logoff" switch is different from one version to the next.
 
C

Cary Shultz [A.D. MVP]

There are a lot of ways to do this. I might take a look at using the 'deny
logon locally' solution. It can be found here:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Use a security group and make that one specific user account object the only
member of that group. Then apply the Deny Logon Locally right to that
group. You would create an OU and move all of the computer account objects
( except the one where he/she is supposed to be able to use ) into that OU.
Then create the GPO and link it to that OU.

This might be one way to do this.

If moving all of the computer account objects EXCEPT ONE to a separate OU
causes a problem for you then you might want to take a look at Group
Filtering.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
R

Roger Abell

If your AD is with NetBIOS support, then just use the properties of
that one account to define its allowed couputers.
 
G

Greg H

Yes, specify in the user's account that he can only use a particlar
computer. In addition to that, you may want to use a mandatory
profile. Logon as the user, set it up the way you want it, make sure
the user is not added to the local administrators group or even power
users group. Once all the settings are locked the way you want it, use
the mandatory profile and he will not be able to make changes on the PC
or his profile.

Greg Halpin
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO not applying to user when only TS server is in Locked down OU. 3
Migrating from multiple child domain environment to single domain with OUs. What's correct method? 5
Word Lock specific drop downs on a Word Document 0
HELP - specifying ability to add a workstation to a domain. 1
XP Workstation Screen save lock 1
Group Policy with External Trust Users 2
user accounts being periodically locked out 1
New to Active Directory - we need help configuring GPO 5

Top