Force domain logon except for laptops

[Guest]

I have a group of people on the LAN that refudes to log into the domain. They
need to do so for updates to AV etc. I can create a GPO to force this, but I
have laptop users that need to be able to log on locally as well when out of
the office. Is the best way just to create 2-OU and put the laptops in one &
everyone else in the other? Then I can force logon to group #1 but not #2.
Does anyone have any better/more logical ways?

 

[Florian Frommherz]

Howdy Joe!

I have a group of people on the LAN that refudes to log into the domain. They
need to do so for updates to AV etc. I can create a GPO to force this, but I
have laptop users that need to be able to log on locally as well when out of
the office. Is the best way just to create 2-OU and put the laptops in one &
everyone else in the other? Then I can force logon to group #1 but not #2.
Does anyone have any better/more logical ways?

No - seperating the laptop from the workstation and creating a seperate
OU for each is the best way to reach your goal. It's clear and in
several months still easy understandable if you are searching for some
issue or want to undo your changes to the enviroment.

Another thing would be to "deny" the laptops (laptop users) the "Apply
Group Policy"-right in the policies' "security"-tab. But as far as you
are able to seperate them into specific OUs, I'd encourage you to do so.

cheers,

Florian