Restricting Access to PCs by Groups

[redziller]

Hello,

I have two classes of users rather like staff and guests and they're
generally in different locations. The staff have NT4 crates / 2k
Terminal Server clients and the guests have XP SP2s. Both use the same
domain.

Active directory sits on W2k server.

I'd like to stop each group from using the other's PCs. I could use
the "Log On To..." on the account tab of the user object but with ~100
users and crates that's too much admin.

Can I manage this with groups? I don't see a policy setting that would
work - but then you need to be logged on for the policy to be applied
so I guess a policy isn't the right approach.

I've put the two sets of PCs in different OUs and fully denied access
to the group I wish to stop logging on but that has no effect.

Any help apprecated,

Peter

 

[Guest]

Can I manage this with groups? I don't see a policy setting that would

work - but then you need to be logged on for the policy to be applied
so I guess a policy isn't the right approach.

You can use the Allow Log On Locally policy to restrict this. Use OUs to
organize the computers into two different types, and use groups to organize the
users into the two different classes.

Then set up two policies that apply to the two different computer OUs to define
Allow Log On Locally containing each different user group. Also you should add
Administrators to log on locally too in each policy.

Hope this helps!

 

[redziller]

You can use the Allow Log On Locally policy to restrict this. Use OUs to
organize the computers into two different types, and use groups to organize the
users into the two different classes.

Then set up two policies that apply to the two different computer OUs to define
Allow Log On Locally containing each different user group. Also you should add
Administrators to log on locally too in each policy.

Hope this helps!

Excellent - just the job. The policy approach does work as it's applied
to the crate.

Many thanks