Restricting access to certain computers

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have certain computers on my network that I want to restrict who logs on.
I have set a group policy that requires a 12 character minimum password
length but users who have four characters can still log on. The server is
Windows 2000 and the computers are XP. I know that I could go into the user
account and set up what computers to log on to but I have close to 1000 users
and many computers and I want an easier way. Thanks for any help.
 
First problem is that password policies are set at the domain level. So
your password policy can be either 4 or 12 characters.

I believe there's a setting in Computer Configuration>Windows Settings>
Security Settings> Local Policies> User Rights Assignments> Log on locally

If you add the users to that policy, and place the computers in an OU with
that policy applied, you'll be able to do what you want... but can Lara,
Steve, Bruce, or Jerold confirm that I have that right?

Ken
 
This seems to be working for me. Thanks!

Ken B said:
First problem is that password policies are set at the domain level. So
your password policy can be either 4 or 12 characters.

I believe there's a setting in Computer Configuration>Windows Settings>
Security Settings> Local Policies> User Rights Assignments> Log on locally

If you add the users to that policy, and place the computers in an OU with
that policy applied, you'll be able to do what you want... but can Lara,
Steve, Bruce, or Jerold confirm that I have that right?

Ken
Click to expand...
 
Ken's on the right track.

Although the Account Policies (including password length) is in Computer
Configuration, it applies to user accounts.
a. Account Policies settings in the Default Domain Policy apply all domain
user accounts regardless of which computer they happen to logon to; the
Default Domain Policy is the ONLY place this setting has any affect on
domain user accounts.
b. Account Policies settings in some other GPO, apply to all Local User
Accounts on computers whose computer account is within the scope of that GPO

This is explained in the Help for Security Settings (Group Policy Editor,
right click Computer Configuration\Windows Settings\Security
Settings\Account Policies, select Help, Security Settings\Concepts\Security
Settings Descriptions\Account Policies)

You can not apply a password length policy on a user by user basis.

If you only want some domain user accounts to be able to logon to some
computers, you can remove the Domain Users group from the local Users group
on those computers and add a group that has just the user account you want
to be able to logon. You can do this in a GPO using Restricted Groups -
however, if you aren't careful, you could prevent anyone from logging on at
any computer, so make sure you only apply such a GPO to an OU which has only
the computer accounts you want to apply this to.

Or, you can do as Ken suggested and set the Logon Locally right to include
just the group(s) of users you want to be able to logon. Again, test this
carefully on a few test computers, so you don't shoot yourself in the foot
(e.g. end up preventing Adminstrators from logging on!)
 
Back
Top