Client Access Rights

  • Thread starter Thread starter Blaze
  • Start date Start date
B

Blaze

Hi

How can I restrict a Domain User Group from access ing a range of client
PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
 
It is part of the individual user accounts, where you set which machines
they are allowed to log into. I don't think it can be done by "groups".
 
You can use Group Policy to do such. For instance place a group of computer
accounts in an Organizational Unit. Then create a Group Policy for that OU
and add the global group you want to restrict to the deny logon locally or
deny access this computer from the network user right in computer
configuration/Windows settings/security settings/local policies/user rights.
Note that while this will work in general, ultimately you can not restrict a
domain admin that does not want to be restricted as they always have the
power to undo settings that restrict them. To do such you really need to use
separate domains or better yet separate forests. You still can connect
forests and/or domains with trusts. --- Steve
 
Blaze,

You can do this with Group Policy. Make a container in AD which contais all
the COMPUTERS (not users) in the admin and sales dept. Create a group policy
and, in it, go to COMPUTER CONFIGURATION > ADMINISTRATIVE TEMPLATES > SYSTEM
LOGON. Now find the rule called "Only allow local user profiles" and enable
Click to expand...
it. Now apply this policy to the container you made containing the computers
you want this enforced on. You will have to go to the individual computers
and delete the accounts off of them that you dont want logged on. The reason
for this is, when a roaming user logs into a network machine, windows
automatically downloads that user into the local profiles. Once the machine
policy is set, they wont be able to do this, and the oly way for a differnt
user to log in is if the Network Admin (You) installs that account on the
local machine using the administrive computer account. Hope this helps. Using
Group Policy for the first time always takes some experimentation.
 
This would only be a problem if the users in question had domain admin
rights. I think you've hit the solution on the head. If the OPs users are
all domain admins, there's little hope for any kind of security..


...kurt
 
Thanks Guys :-)


Kurt said:
This would only be a problem if the users in question had domain admin
rights. I think you've hit the solution on the head. If the OPs users are
all domain admins, there's little hope for any kind of security..


..kurt
Click to expand...
 
Back
Top