Only logon to computers in 1 OU

  • Thread starter Thread starter Caesar
  • Start date Start date
C

Caesar

I want to know how through GPO I can have this 1 user only logon to the
computers in their department's OU?

I don't want to add computers in AD and then have to Add and Delete
everytime the department gets new systems. There has to be a way in GP to do
this but I don't see it.

I need to do this ASAP so any help quickly is more than appreciated!
 
Caesar,
I want to know how through GPO I can have this 1 user only logon to the
computers in their department's OU?

I don't want to add computers in AD and then have to Add and Delete
everytime the department gets new systems. There has to be a way in GP to do
this but I don't see it.

I need to do this ASAP so any help quickly is more than appreciated!
Click to expand...

The other way round would be possible but doesn't meet your requirement
(not to re-configure when new systems arrive). Is that a restriction to
this particular user or is that a requirement that nobody (except the
one user) needs access (only) to the machines?

There isn't a built-in functionality for this, you'll either have to
script it or link a GP with the "Deny log on locally" security setting
with the user's username to all other server except the OU he needs
access to the machines.

cheers,

Florian
 
Thanks for the reply, but since I have so many OU's in my Active Directory I
would really like to just set this one user up with allow only, and not have
to go to the over 100 different OU's to deny access.

Plus, I am not well versed in scripts or how to write them. I have a user
we'll call "AI_User" and an OU called deptartments\finance\ap\computers If
you say "run a script" do you know where I can find samples written?

Thanks

Florian Frommherz said:
Caesar,
I want to know how through GPO I can have this 1 user only logon to the
computers in their department's OU?

I don't want to add computers in AD and then have to Add and Delete
everytime the department gets new systems. There has to be a way in GP to do
this but I don't see it.

I need to do this ASAP so any help quickly is more than appreciated!
Click to expand...

The other way round would be possible but doesn't meet your requirement
(not to re-configure when new systems arrive). Is that a restriction to
this particular user or is that a requirement that nobody (except the
one user) needs access (only) to the machines?

There isn't a built-in functionality for this, you'll either have to
script it or link a GP with the "Deny log on locally" security setting
with the user's username to all other server except the OU he needs
access to the machines.

cheers,

Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Click to expand...
 
Howdie!
Thanks for the reply, but since I have so many OU's in my Active Directory I
would really like to just set this one user up with allow only, and not have
to go to the over 100 different OU's to deny access.

Plus, I am not well versed in scripts or how to write them. I have a user
we'll call "AI_User" and an OU called deptartments\finance\ap\computers If
you say "run a script" do you know where I can find samples written?
Click to expand...

There are only two ways to go about it: Security Configuration with
using the "Allow log on" or the Active Directory Users and Computers
function "Log on To".

You could script it in several ways - for example for all users logging
in to check whether the username is AI_User and the machine name is XY
-- and if so, run logoff.exe and things of that nature. Honestly I'd go
for the two built-in functions and leave scripting alone.

However, if you're into scripting, the scripting guys may be helpful here:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec06/hey1206.mspx

cheers,

Florian
 
Back
Top