Organizaional Unit Policy

[Guest]

In my Domain I have created Organizational Units.
Now I want to apply a policy so that the OU users can not access the
resources of other OU in the same Domain.

Suppose I have two OU's
IT and Sales
Now I want to restrict users of Sales OU from accessing the computers of IT
OU and vice versa.
Please let me know if you know.

 

[Guest]

I have not done this before, but it seems like you could create a group
policy for each OU setting the "Log on locally" setting to the group of
people you want to allow. You may also want to look at the "Access this
computer from the network" policy. Both are found in Computer Config/Win
Settings/Security Settings/Local Policies/User Rights Assignment on the group
policy editor.

You will have to create security groups representing the users, you can't do
it based on what OU they are in.
Make sure you allow "Domain Computers" to run your policy, otherwise nothing
will happen.

 

[Cary Shultz [A.D. MVP]]

Karan,

As suggested, you would use the Logon Locally ( specifically, you would deny
this ).

I am not sure why you would want IT to not be able to log on to any computer
in the company. I guess you have a good reason. It would make things a bit
more difficult for solving any problems. If the problem is an 'HR' issue
rather than a 'technical' issue - such as you can not trust some of the
people in IT ( are you part of 'IT'? ) then the solution should be a clear
one....

Does this help you?

--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)