Organization Unit Login

[Ricky]

Hi

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right tip
how is it done!...

Thanks
[]
Ricky

 

[Herb Martin]

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right tip
how is it done!...

No -- probably but it is not even clear what you want to accomplish.

What would "restrict logon by OU" actually look like or mean?

Disallow users in an OU from logging on at all? (Select them all and
set the disabled box on their accounts?)

Specify exactly what you goal is -- and not initially how you think to
accomplish that - and someone might be able to help you arrive at
that actual goal.

 

[Roger Abell [MVP]]

You would need to provide this such as via a combination of scripting
to control group memberships and use of those groups in user rights.
It is not provided by what is included in Windows.
You might be able to find a third-party product that accomplishes this.

 

[Guest]

hi,
create a OU and move the computers where you want to restrict the login.
Create a group of users wich you want to restrict. On that OU create a GPO
and set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally, deny logon through terminal services,deny
access this computer from network with the users group wich you just created.

 

[Ricky]

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users to
just be able to login in some organization units and not others.

Thanks
[]
Ricky

 

[Ricky]

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users to
just be able to login in some organization units and not others.

Thanks
[]
Ricky

hi,
create a OU and move the computers where you want to restrict the login.
Create a group of users wich you want to restrict. On that OU create a GPO
and set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally, deny logon through terminal services,deny
access this computer from network with the users group wich you just
created.
--
Dragos CAMARA
MCSA Windows 2003 server

Hi

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right tip
how is it done!...

Thanks
[]
Ricky

 

[Paul Bergson [MVP-DS]]

OU's are just container objects (Collections of users), users don't login to
OU's. You are really confused on something.

Why don't you provide more details on what you are trying to accomplish, it
still isn't clear to me.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users
to just be able to login in some organization units and not others.

Thanks
[]
Ricky

No -- probably but it is not even clear what you want to accomplish.

What would "restrict logon by OU" actually look like or mean?

Disallow users in an OU from logging on at all? (Select them all and
set the disabled box on their accounts?)

Specify exactly what you goal is -- and not initially how you think to
accomplish that - and someone might be able to help you arrive at
that actual goal.

 

[Roger Abell [MVP]]

I take

just be able to login in some organization units

to mean login into the machines in those OUs

At any rate, it does not matter what your precise meaning is.
I took that into account, thinking of a few possible meanings
for what you were stating, and they all came out the same.
You either need to script this up to leverage control of the
memberships of some custom group that you use for assignment
of user rights, or you need to find some third-party solution.
It is not built into Windows.

Roger

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users
to just be able to login in some organization units and not others.

Thanks
[]
Ricky

No -- probably but it is not even clear what you want to accomplish.

What would "restrict logon by OU" actually look like or mean?

Disallow users in an OU from logging on at all? (Select them all and
set the disabled box on their accounts?)

Specify exactly what you goal is -- and not initially how you think to
accomplish that - and someone might be able to help you arrive at
that actual goal.

 

[Herb Martin]

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users
to just be able to login in some organization units and not others.

No one logs into an OU. So what specifically would be different
for these users?

I already asked if you wish them to be unable to logon to the domain
AT ALL?

What else can you mean by this?

 

[Joe Richards [MVP]]

As specified in some of the other posts. Users don't log into OUs. They
are containers that user objects (as well as other objects) are "kept".

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users to
just be able to login in some organization units and not others.

Thanks
[]
Ricky

hi,
create a OU and move the computers where you want to restrict the login.
Create a group of users wich you want to restrict. On that OU create a GPO
and set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally, deny logon through terminal services,deny
access this computer from network with the users group wich you just
created.
--
Dragos CAMARA
MCSA Windows 2003 server

Hi

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right tip
how is it done!...

Thanks
[]
Ricky

 

[Ricky]

Sorry for the lack of information i've give. The purpose of this issue is to
restrict some users to login in the domain where for example:

1. Building A (organization unit A): works user xpto_1
2. Building B (organization unit B): works user xpto_1
3. Building C (organization unit C): works user xpto_2
4. Building D (organization unit D): works user xpto_2
5. Building E (organization unit E): works user xpto_3

User xpto_1 and should user xpto_2 should only be able to login into the
computers (there are more than 2 computers in question) where they work in
different buildings/organization units and their roaming profiles should be
transfer or not (give me another hand what is the best policy for this too)
when they do their login where the pc_1 or pc_n is located.

Thanks
[]
Ricky

OU's are just container objects (Collections of users), users don't login
to OU's. You are really confused on something.

Why don't you provide more details on what you are trying to accomplish,
it still isn't clear to me.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users
to just be able to login in some organization units and not others.

Thanks
[]
Ricky

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right
tip how is it done!...

No -- probably but it is not even clear what you want to accomplish.

What would "restrict logon by OU" actually look like or mean?

Disallow users in an OU from logging on at all? (Select them all and
set the disabled box on their accounts?)

Specify exactly what you goal is -- and not initially how you think to
accomplish that - and someone might be able to help you arrive at
that actual goal.

 

[Ricky]

Sorry for the lack of information i've give. The purpose of this issue is to
restrict some users to login in the domain where for example:

1. Building A (organization unit A): works user xpto_1
2. Building B (organization unit B): works user xpto_1
3. Building C (organization unit C): works user xpto_2
4. Building D (organization unit D): works user xpto_2
5. Building E (organization unit E): works user xpto_3

User xpto_1 and should user xpto_2 should only be able to login into the
computers (there are more than 2 computers in question) where they work in
different buildings/organization units and their roaming profiles should be
transfer or not (give me another hand what is the best policy for this too)
when they do their login where the pc_1 or pc_n is located.

Thanks
[]
Ricky

As specified in some of the other posts. Users don't log into OUs. They
are containers that user objects (as well as other objects) are "kept".

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users
to just be able to login in some organization units and not others.

Thanks
[]
Ricky

hi,
create a OU and move the computers where you want to restrict the login.
Create a group of users wich you want to restrict. On that OU create a
GPO
and set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally, deny logon through terminal services,deny
access this computer from network with the users group wich you just
created.
--
Dragos CAMARA
MCSA Windows 2003 server


:

Hi

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right
tip
how is it done!...

Thanks
[]
Ricky

 

[Herb Martin]

Sorry for the lack of information i've give. The purpose of this issue is
to restrict some users to login in the domain where for example:

It isn't really (so much) the lack of information but rather the lack of
clarity -- you have a lot of people trying to decipher what you intend
to do.

I BELIEVE you wish to do the following:

Restrict (groups of) Users from logging into Computers in certain Sites
or OUs

Allow those (groups of) Users to log into Computers in certain other
Sites or OUs

Is this the goal?

There is no direct way to do this, but you might be able to "fake it" with
Logon
Scripts -- if I run a script that on logon (technically the users would
logon briefly)
the scripts tests for Group membership and then immediately logs that user
back
off the goal would be accomplish (closely enough) probably.

Is this your goal?

 

[Guest]

hi,
I assume that computers where xpto_1 works are in OU bulding A and B and
simmilar to other OU's.
Create a group of users GUserAB(contain xpto_1), GUserCD(contain
xpto_2),GUserE(xpto_3)
On that OU Bulding A and B link a GPO
with settings
set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally , deny logon through terminal services,deny
access this computer from network add GuserCD,GuserE
simmilar to OU Building C,D and E

..

--
Dragos CAMARA
MCSA Windows 2003 server

Sorry for the lack of information i've give. The purpose of this issue is to
restrict some users to login in the domain where for example:

1. Building A (organization unit A): works user xpto_1
2. Building B (organization unit B): works user xpto_1
3. Building C (organization unit C): works user xpto_2
4. Building D (organization unit D): works user xpto_2
5. Building E (organization unit E): works user xpto_3

User xpto_1 and should user xpto_2 should only be able to login into the
computers (there are more than 2 computers in question) where they work in
different buildings/organization units and their roaming profiles should be
transfer or not (give me another hand what is the best policy for this too)
when they do their login where the pc_1 or pc_n is located.

Thanks
[]
Ricky

As specified in some of the other posts. Users don't log into OUs. They
are containers that user objects (as well as other objects) are "kept".

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

In my network domain (single domain) exists two types of users: local and
roaming profiles. I want to disable the possibility of some of that users
to just be able to login in some organization units and not others.

Thanks
[]
Ricky


hi,
create a OU and move the computers where you want to restrict the login.
Create a group of users wich you want to restrict. On that OU create a
GPO
and set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally, deny logon through terminal services,deny
access this computer from network with the users group wich you just
created.
--
Dragos CAMARA
MCSA Windows 2003 server


:

Hi

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the right
tip
how is it done!...

Thanks
[]
Ricky

 

[Paul Williams [MVP]]

OK, if I understand what you're after you need to create and link a GPO to
each OU that only allows logon locally for Administrators, Backup Operators,
and custom groups, e.g.

OU1 - Logon Locally - Administrators, Backup Operators, OU1 Allowed Users
OU2 - Logon Locally - Administrators, Backup Operators, OU2 Allowed Users


You then ensure that the computer objects are in the correct OUs and that
your users are added to the correct groups, e.g. OU1 Allowed Users.

What this does is remove the ability for users, guests and power users to
logon locally. The only people who can logon locally are the local admins,
backup ops, and users in your defined groups. If you want someone to be
able to logon to machines in OU1 and OU4, you add them to both groups.

What you've confused here, as others have pointed out, is that you actually
only logon to a computer. An OU is simply a container in the directory and
is only technically there for assigning policy and delegating permissions,
but is also used to organise objects into smaller groups. Therefore what
you must do is use GPOs to define privileges for users on the computers that
reside in the OUs.

Note. This doesn't stop a user on a computer in OU9 from connecting to a
share on a computer in OU3, for example. This is a different privilege
(Access this computer from the network).

 

[Paul Williams [MVP]]

While that will work it's usually best to restrict those allowed as opposed
to outrightly denying someone something. Deny will override allow which
isn't always what you want, as there's an inherant lack of access if you
don't have an allow.

It's probably better to limit those who can actually logon as I've posted
elsewhere in the thread. By only allowing a specific group to logon you
mitigate the fact that someone can logon because they've not yet been added
to the deny group.

 

[Guest]

hi,
i agree with you, but it was simple to me to write, if i was to write remove
thesee groups from allow login etc, and what others groups do you have etc
and just leave theese ... in fact are user groups and if are users who must
have access to 2 OU's i agree with you
anyway if i can evit deny i will but here that was a simple solution.

 

[Ricky]

Paul,

Thanks for the tip but can you tell me if exists a microsoft or other type
of document where explains the steps for the adive you just give.

[]
Ricky

 

[Ricky]

Herb,

Yes. That is the goal. Thanks... can you tell me if exists a microsoft or
other type of document where explains the steps for the adive you just give.

[]
Ricky

 

[Ricky]

Thanks Dragos,

But can you tell me if exists a microsoft or other type of document where
explains the steps for the adive you just give.

[]
Ricky

hi,
I assume that computers where xpto_1 works are in OU bulding A and B and
simmilar to other OU's.
Create a group of users GUserAB(contain xpto_1), GUserCD(contain
xpto_2),GUserE(xpto_3)
On that OU Bulding A and B link a GPO
with settings
set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally , deny logon through terminal services,deny
access this computer from network add GuserCD,GuserE
simmilar to OU Building C,D and E

.

--
Dragos CAMARA
MCSA Windows 2003 server

Sorry for the lack of information i've give. The purpose of this issue is
to
restrict some users to login in the domain where for example:

1. Building A (organization unit A): works user xpto_1
2. Building B (organization unit B): works user xpto_1
3. Building C (organization unit C): works user xpto_2
4. Building D (organization unit D): works user xpto_2
5. Building E (organization unit E): works user xpto_3

User xpto_1 and should user xpto_2 should only be able to login into the
computers (there are more than 2 computers in question) where they work
in
different buildings/organization units and their roaming profiles should
be
transfer or not (give me another hand what is the best policy for this
too)
when they do their login where the pc_1 or pc_n is located.

Thanks
[]
Ricky

As specified in some of the other posts. Users don't log into OUs. They
are containers that user objects (as well as other objects) are "kept".

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Ricky wrote:
In my network domain (single domain) exists two types of users: local
and
roaming profiles. I want to disable the possibility of some of that
users
to just be able to login in some organization units and not others.

Thanks
[]
Ricky


hi,
create a OU and move the computers where you want to restrict the
login.
Create a group of users wich you want to restrict. On that OU create
a
GPO
and set
computer configuration/windows settings /security settings/user right
assignment/deny logon locally, deny logon through terminal
services,deny
access this computer from network with the users group wich you just
created.
--
Dragos CAMARA
MCSA Windows 2003 server


:

Hi

Can someone tell me if it is possible to restrict user's login by
organization units?... If so can someone explain or give me the
right
tip
how is it done!...

Thanks
[]
Ricky