Only logon to computers in 1 OU

[Caesar]

I want to know how through GPO I can have this 1 user only logon to the
computers in their department's OU?

I don't want to add computers in AD and then have to Add and Delete
everytime the department gets new systems. There has to be a way in GP to do
this but I don't see it.

I need to do this ASAP so any help quickly is more than appreciated!

 

[Florian Frommherz [MVP]]

Caesar,

I want to know how through GPO I can have this 1 user only logon to the
computers in their department's OU?

I don't want to add computers in AD and then have to Add and Delete
everytime the department gets new systems. There has to be a way in GP to do
this but I don't see it.

I need to do this ASAP so any help quickly is more than appreciated!

The other way round would be possible but doesn't meet your requirement
(not to re-configure when new systems arrive). Is that a restriction to
this particular user or is that a requirement that nobody (except the
one user) needs access (only) to the machines?

There isn't a built-in functionality for this, you'll either have to
script it or link a GP with the "Deny log on locally" security setting
with the user's username to all other server except the OU he needs
access to the machines.

cheers,

Florian

 

[Caesar]

Thanks for the reply, but since I have so many OU's in my Active Directory I
would really like to just set this one user up with allow only, and not have
to go to the over 100 different OU's to deny access.

Plus, I am not well versed in scripts or how to write them. I have a user
we'll call "AI_User" and an OU called deptartments\finance\ap\computers If
you say "run a script" do you know where I can find samples written?

Thanks

Caesar,

I want to know how through GPO I can have this 1 user only logon to the
computers in their department's OU?

I don't want to add computers in AD and then have to Add and Delete
everytime the department gets new systems. There has to be a way in GP to do
this but I don't see it.

I need to do this ASAP so any help quickly is more than appreciated!

The other way round would be possible but doesn't meet your requirement
(not to re-configure when new systems arrive). Is that a restriction to
this particular user or is that a requirement that nobody (except the
one user) needs access (only) to the machines?

There isn't a built-in functionality for this, you'll either have to
script it or link a GP with the "Deny log on locally" security setting
with the user's username to all other server except the OU he needs
access to the machines.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

 

[Florian Frommherz [MVP]]

Howdie!

Thanks for the reply, but since I have so many OU's in my Active Directory I
would really like to just set this one user up with allow only, and not have
to go to the over 100 different OU's to deny access.

Plus, I am not well versed in scripts or how to write them. I have a user
we'll call "AI_User" and an OU called deptartments\finance\ap\computers If
you say "run a script" do you know where I can find samples written?

There are only two ways to go about it: Security Configuration with
using the "Allow log on" or the Active Directory Users and Computers
function "Log on To".

You could script it in several ways - for example for all users logging
in to check whether the username is AI_User and the machine name is XY
-- and if so, run logoff.exe and things of that nature. Honestly I'd go
for the two built-in functions and leave scripting alone.

However, if you're into scripting, the scripting guys may be helpful here:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec06/hey1206.mspx

cheers,

Florian