D
dale
What is the best way to prevent a specific user from
accessing particualar computers?
accessing particualar computers?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
D
Dmitry Korolyov
Create a global group and make all users in question members. Create a group
policy object and in computer security settings configure "Deny interactive
Logon" privilege so it is denied to the group created. Apply the GPO using
OUs or security filtering to all computers where the users in question
should not be able to log on.
There's a simple solution, "Logon workstations" in user's account tab. You
just put netbios names of the machines where the user is allowed to log on.
But it requires netbios protocol, it does not work if user logs on with
network cable unplugged (provided that they have already logged on there and
the credentials are cached), and it is limited to 8 machines only.
policy object and in computer security settings configure "Deny interactive
Logon" privilege so it is denied to the group created. Apply the GPO using
OUs or security filtering to all computers where the users in question
should not be able to log on.
There's a simple solution, "Logon workstations" in user's account tab. You
just put netbios names of the machines where the user is allowed to log on.
But it requires netbios protocol, it does not work if user logs on with
network cable unplugged (provided that they have already logged on there and
the credentials are cached), and it is limited to 8 machines only.
D
dale
I want to make it so user X cannot log into three PCs that
are in a sensitive area.
I figured out one way that worked,(On the local PC itself)
by going into admin tools/Local Security Policies --
Security settings\Local policies\User Rights Assignments--
Right click Deny Logon Locally > click security > add user
X and check the Local
Policy setting box.
I tried logging in as user X and got the message about
local policy blocking the login. Works great.
Can I make this happen with the active directory? Can I
create some policy that I can assign to specific PCs and
how do I get started?
Right now I am looking at the active dirctory under
computers. I right click on the computer I want to
restrict to User X. I right click on that PC and click
properties. I click the security tab. I add User X to the
list and put a check in the deny box for all choices. This
does not work.
Thanks
Dale
are in a sensitive area.
I figured out one way that worked,(On the local PC itself)
by going into admin tools/Local Security Policies --
Security settings\Local policies\User Rights Assignments--
Right click Deny Logon Locally > click security > add user
X and check the Local
Policy setting box.
I tried logging in as user X and got the message about
local policy blocking the login. Works great.
Can I make this happen with the active directory? Can I
create some policy that I can assign to specific PCs and
how do I get started?
Right now I am looking at the active dirctory under
computers. I right click on the computer I want to
restrict to User X. I right click on that PC and click
properties. I click the security tab. I add User X to the
list and put a check in the deny box for all choices. This
does not work.
Thanks
Dale
D
Dmitry Korolyov
Yes, read my initial reply.
D
Dale
"Create a global group and make all users in question
members." DID IT
"Create a group policy object and in computer security
settings configure "Deny interactive Logon" privilege so
it is denied to the group created."
I cannot find Deny interactive login. I can find: Deny
login as batch job, Deny login as a service and Deny login
locally. I find these in group policy/Computer
configuration/Windodws settings/security settings/Local
Policies/User Rights assignments.
"Apply the GPO using OUs or security filtering to all
computers where the users in question should not be able
to log on."
Could you spell this out for a this headed individual?
members." DID IT
"Create a group policy object and in computer security
settings configure "Deny interactive Logon" privilege so
it is denied to the group created."
I cannot find Deny interactive login. I can find: Deny
login as batch job, Deny login as a service and Deny login
locally. I find these in group policy/Computer
configuration/Windodws settings/security settings/Local
Policies/User Rights assignments.
"Apply the GPO using OUs or security filtering to all
computers where the users in question should not be able
to log on."
Could you spell this out for a this headed individual?
D
Dmitry Korolyov
Deny logon locally is what i meant by deny interactive logon.
Well, GPOs can be applied to an OU affecting all users and computers within
that OU and down the OU hierarchy. But you can also use security filteging
if it is impossible to place all required user and computer objects into one
OU. By default, "Authenticated Users" group (which means all authenticated
user and computer accounts) is granted "read" and "apply group policy"
permissions on the GPO. You can remove this entry from the ACL, and add only
the group you need, granting it "read" and "apply group policy". This way
only users and computers who a) located under the OU where the GPO is linked
and b) are member of the group you have granted permissions will be affected
by this GPO.
Well, GPOs can be applied to an OU affecting all users and computers within
that OU and down the OU hierarchy. But you can also use security filteging
if it is impossible to place all required user and computer objects into one
OU. By default, "Authenticated Users" group (which means all authenticated
user and computer accounts) is granted "read" and "apply group policy"
permissions on the GPO. You can remove this entry from the ACL, and add only
the group you need, granting it "read" and "apply group policy". This way
only users and computers who a) located under the OU where the GPO is linked
and b) are member of the group you have granted permissions will be affected
by this GPO.