Is there a way, other than using the "Log On To" section in the account area of active directory user properties (which requires Net BIOS protocol, something i do not want to implement) that would allow me to specify that I only want THIS user to log on to one certain computer and no other?
Please please please help
David Hunt
The City of Lake Forest
You can achieve this in a logon script. You have to test whether %
computername% is equal to the allowed computer for this user. I
personally would do it in JavaScript (or VBScript) and implement one
script with more complex logic for all users. For example, you list all
users and allowed machines in a CSV file, parse it in the logon script,
determine whether the current machine is among the allowed and if not
display message and call logoff.exe from Resource Kit to force user
logoff.
You can also try playing with the "Logon locally" user right on clients
and grant it only to the respective user (and the administrator). This,
however, would require either manual configuration of the workstations'
local policies or the implementation of a separate GPO for each machine.
It all depends on how many machines you have.
Other than that, no, there is no other supported (or AD) way to
accomplish this than the feature you're trying to stay away from.
Hope these idea come in handy
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.
"True knowledge exists in knowing that you know nothing."
Socrates
