logon to workstations

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

In domain user account settings account >> logon to >>
is there a limit to number of workstation accounts you can allow a user
account to logon to.
 
In domain user account settings account >> logon to >>
is there a limit to number of workstation accounts you can allow a user
account to logon to.
Click to expand...

Yes. If you configure any workstations, the limit is 8.
If you don't configure, the limit is infinity.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
 
Marcus Osborn said:
In domain user account settings account >> logon to >>
is there a limit to number of workstation accounts you can allow a user
account to logon to.
Click to expand...

I believe the limit is actually 60 computers. Does anyone know how to up
that amount?
 
I am not sure that there is any limit. AFAIK, I could go to each and every
computer in a 1000 computer environment and log on to each and every
computer. That is, unless there is a setting in my user account properties
limiting me to logging on to certain computers or some GPO that denies logon
locally.

Now, let's look at the two possibilities that I mentioned. These two will
limit a user to logging onto only those computer accounts specifically
mentioned in his / her user account properties -OR- prevent a user from
logging into those computer accounts that fall under the Scope of Management
of the GPO that denies the logon on locally to a specific group ( of which
the user account object in question would be a member ).

I am not sure where the limit of 60 originates. About the only 'limit'
where the number is '60' of which I have any knowledge is the tombstone time
limit. Not really sure where Jesse is getting this number.

Now, is this an answer to your question?

Or, as Ryan suggests, are you asking about a way to prevent a user from
logging into computerA and then logging into computerB ( while he / she is
still logged onto Computer! ). Both the Network Share and CConnect would be
the way to prevent this....bas per the MSKB Article that Ryan provided.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary and Ryan,

I work for a large organization, and we have a training facility that has
around 150 computers. We are trying to using a single domain account to logon
to all of the workstations. The user account has been setup to only allow it
to logon to the training facility workstations through the Logon Workstations
option in the account tab in user properties.

We have hit a limit of 60 computers that can be added to that list, and are
wondering if there is a GPO or other way of editing that ammount.

Thanks,
 
Okay,

So if you go to the user account objects properties of 'testuser' you are
only allowed to enter 60 computer account objects. Clearly this does not
cover your needs. And clearly you are correct. Just tried adding more than
60 computer account objects to a user account object's properties ( the
Logon to.. button ) and was instructed that the is limited to 60 accounts.
Looks like I just added one more thing to my knowledge base.

Okay, in the meantime while I look for a way to increase / decrease this
limit......

Are the computer account objects in your environment placed into OUs, or do
you keep them all in the default COMPUTERS container?

If they are placed in OUs you could use the Deny Logon Locally GPO. I would
make sure, though, that the OU that holds these computer account objects is
not a 'child' or sub-OU of the OU structure that contains your other
computer account objects. Make it a completely different OU. So, what you
would do is have all of the computer account objects in their current OU set
up and create an OU for the test computer account objects. You would then
create a security group ( call it 'Training Group' or whatever ) and make
that one user account object the sole member. You could then create the
Deny Logon Locally GPO and link it to the OU structure that holds all of
your other computer account objects.

If you were to use this and you absolutely have to create the OU for the 150
computer account objects within your 'computer' OU structure then you might
have to look at Block Inheritance on the OU that holds these 150 training
computers.....

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
I have looked around and am not finding a way to increase this. I am
guessing this is due to the size of the attribute container. As such I'd be
interested if there were a way to increase this. We'll see...
 
What if instead of this, he puts all the workstations in an OU and assigns
the logon locally privilege to admin accounts and his "user" account. From
there, he should deny all other users logon. That would have the same
effect, would be a lot less typing, and easier to manage in the long-run.
 
Thanks for the help so far. Unfortunately I am not able to create/modify/etc.
the OU's or GPO's but I have given the suggestion to the people who can.
We'll see what happens I guess.

Thanks again,

Jesse
 
Back
Top