Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Restrict workstation to only allow logon by one user
Restrict workstation to only allow logon by one user [message #408345] Tue, 09 March 2010 10:09 Go to next message
Chegu Tom  is currently offline Chegu Tom  United States
Messages: 3
Registered: March 2010
Junior Member
I have a workstation on our network that should only allow a specific user
or group of users to login there. I can restrict the user to a specific
workstation but I want to restrict a workstation to specific users.

How do I configure that?
Re: Restrict workstation to only allow logon by one user [message #408404 is a reply to message #408345] Tue, 09 March 2010 11:21 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Chegu Tom" <noemail@yahoo.com> wrote in message news:u06pXx6vKHA.4552@TK2MSFTNGP04.phx.gbl...
>I have a workstation on our network that should only allow a specific user
> or group of users to login there. I can restrict the user to a specific
> workstation but I want to restrict a workstation to specific users.
>
> How do I configure that?
>
>


Does this help?

Restrict Users to Specific Workstations
http://help.lockergnome.com/windows2/Restrict-Users-Specific -Workstations--ftopict482635.html

Or to deny everyone except the specific user:

Place all computers you want restricted into one OU then use GPO to "Deny log on locally" to the security group under:
Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment

Apply this policy to the computer OU.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Re: Restrict workstation to only allow logon by one user [message #408559 is a reply to message #408345] Tue, 09 March 2010 14:30 Go to previous messageGo to next message
Florian Frommherz  is currently offline Florian Frommherz  Germany
Messages: 86
Registered: February 2010
Member
Howdie!

Am 09.03.2010 18:09, schrieb Chegu Tom:
> I have a workstation on our network that should only allow a specific user
> or group of users to login there. I can restrict the user to a specific
> workstation but I want to restrict a workstation to specific users.

Yeah, Ace is right. I'd use the local Group Policy as far as possible.
That's the best - yet the cleanest way to do that.

Cheers,
Florian
Re: Restrict workstation to only allow logon by one user [message #408780 is a reply to message #408559] Tue, 09 March 2010 19:57 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Florian Frommherz" <florian@LEAVETHISOUT.frickelsoft.net> wrote in message news:%23wPU9%238vKHA.4908@TK2MSFTNGP06.phx.gbl...
> Howdie!
>
> Am 09.03.2010 18:09, schrieb Chegu Tom:
>> I have a workstation on our network that should only allow a specific user
>> or group of users to login there. I can restrict the user to a specific
>> workstation but I want to restrict a workstation to specific users.
>
> Yeah, Ace is right. I'd use the local Group Policy as far as possible.
> That's the best - yet the cleanest way to do that.
>
> Cheers,
> Florian


Thanks for the plug, Florian. :-)

Ace
Re: Restrict workstation to only allow logon by one user [message #409291 is a reply to message #408404] Wed, 10 March 2010 13:04 Go to previous messageGo to next message
Chegu Tom  is currently offline Chegu Tom  United States
Messages: 3
Registered: March 2010
Junior Member
Thanks guys but I know how to restrict a user to a specific machine. I want
to BLOCK everyone but specific users from loging on to a mchine.

The second solution to "Deny log on locally". Would that allow any network
user to log on? I am a little lost with OU and GPO terminology, Will that
allow me to block all but specific users from using a specific machine?


"Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in message
news:etcOVV7vKHA.1984@TK2MSFTNGP05.phx.gbl...
"Chegu Tom" <noemail@yahoo.com> wrote in message
news:u06pXx6vKHA.4552@TK2MSFTNGP04.phx.gbl...
>I have a workstation on our network that should only allow a specific user
> or group of users to login there. I can restrict the user to a specific
> workstation but I want to restrict a workstation to specific users.
>
> How do I configure that?
>
>


Does this help?

Restrict Users to Specific Workstations
http://help.lockergnome.com/windows2/Restrict-Users-Specific -Workstations--ftopict482635.html

Or to deny everyone except the specific user:

Place all computers you want restricted into one OU then use GPO to "Deny
log on locally" to the security group under:
Computer Configuration | Windows Settings | Security Settings | Local
Policies | User Rights Assignment

Apply this policy to the computer OU.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.
Re: Restrict workstation to only allow logon by one user [message #409323 is a reply to message #409291] Wed, 10 March 2010 13:53 Go to previous messageGo to next message
KevinJ.SBS  is currently offline KevinJ.SBS  United States
Messages: 653
Registered: July 2009
Senior Member
Chegu Tom wrote:
> Thanks guys but I know how to restrict a user to a specific machine. I
> want to BLOCK everyone but specific users from loging on to a
> mchine.
> The second solution to "Deny log on locally". Would that allow any
> network user to log on? I am a little lost with OU and GPO
> terminology, Will that allow me to block all but specific users from
> using a specific machine?

Without implementing "denies", if the domain user is not a member of the
local group "users" then they won't be able to logon.
( Unless they belong to other local groups as well) Domain users are added
to the local "users" group by default when domain joined. if you change that
or better, enforce with restricted groups via group policy only the user /
groups you add will be able to logon to the workstation.

Greater restrictions may dictate greater limitations, local rights
modifications, or applying "denies" as needed.

>
>
> "Ace Fekay [MVP-DS, MCT]" <aceman@mvps.RemoveThisPart.org> wrote in
> message news:etcOVV7vKHA.1984@TK2MSFTNGP05.phx.gbl...
> "Chegu Tom" <noemail@yahoo.com> wrote in message
> news:u06pXx6vKHA.4552@TK2MSFTNGP04.phx.gbl...
>> I have a workstation on our network that should only allow a
>> specific user or group of users to login there. I can restrict the
>> user to a specific workstation but I want to restrict a workstation
>> to specific users. How do I configure that?
>>
>>
>
>
> Does this help?
>
> Restrict Users to Specific Workstations
> http://help.lockergnome.com/windows2/Restrict-Users-Specific -Workstations--ftopict482635.html
>
> Or to deny everyone except the specific user:
>
> Place all computers you want restricted into one OU then use GPO to
> "Deny log on locally" to the security group under:
> Computer Configuration | Windows Settings | Security Settings | Local
> Policies | User Rights Assignment
>
> Apply this policy to the computer OU.

--
/kj
Re: Restrict workstation to only allow logon by one user [message #409509 is a reply to message #409291] Wed, 10 March 2010 18:32 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Chegu Tom" <noemail@yahoo.com> wrote in message news:%23FuoY4IwKHA.4196@TK2MSFTNGP02.phx.gbl...
> Thanks guys but I know how to restrict a user to a specific machine. I want
> to BLOCK everyone but specific users from loging on to a mchine.
>
> The second solution to "Deny log on locally". Would that allow any network
> user to log on? I am a little lost with OU and GPO terminology, Will that
> allow me to block all but specific users from using a specific machine?
>



You are creating the restriciton in a specific GPO and not globally, so no, it will not affect anyone that is not in the group used in the GPO applied to that specific OU.

Here are some links on GPOs and OUs.

Create or delete a Group Policy object
http://technet.microsoft.com/en-us/library/cc776678(WS.10).aspx

Creating and Working with GPOs: Group Policy
http://technet.microsoft.com/en-us/library/cc782678(WS.10).aspx

However, if you are not aware of how to organize domain objects with OUs, it implies that all your user accounts are probably still in the Users Container. This container is not an OU and a GPO cannot be applied to it. You would have to first organize your objects (users, computers, etc) before attempting this.

Based on this assumption, take a look at the following I previously wrote up, however have not published yet.

============================================================ ======
============================================================ ======
OU Structures and Group Policy Objects (GPOs) Design Considerations and Guidelines

It's suggested and recommended to not change the Default Domain Policy.
Keep in mind, whatever you set at the domain level will flow downhill to
everything. I would suggest to design your OU structure to reflect your
organizaiton and/or departments, which will also help you create GPOs for
the OU design.

For example, for a company with more than one location/site, I would suggest
the following:

Domain
......Philly OU
...............Accounting
...............Sales
...............Marketing
...............Desktop
...............Users
...............Laptops
......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
...............Users
...............Laptops

I separated Laptops and Desktops because I have two different Windows Update
GPOs set. The Desktop Windows Update GPO I created runs at 3:00 AM, whereas
the Laptop Updates run at 3:30 PM while the users have the laptops in the
office. This design also allows me to create GPOs for the different offices,
or I can create one and link them to both offices. The design possibilities
are endless, especially if you control flow with Block Inheritance,
Loopback, WMI filtering, disabling the Computer or User portion of a GPO,
etc, however in many cases I do not use these features because trying to
support them 8 months later when there's a problem it is difficult to
remember what you had blocked, etc. Yes youcan use RSOP to look at what is
being applied, etc, but I find it easier to simply create another OU or a
child OU to have a different setting than the parent, such as the following,
where I created a GPO to lock the desktop with two different time settings.
The Desktops OU has a 30 minute setting, but I created a 15 Minute Timeout
OU directly beneath it. Because the identical setting isdifferent on the
child, it overrides the parent's setting. I can simply "look" at my OUs and
know what I have applied.

......Seattle OU
...............Accounting
...............Sales
...............Marketing
...............Desktops
.....................15 Minute Timeout OU
...............Users
...............Laptops

These are just suggestions, and you may find that it may work for you, or
not. Even in a single site, I still do it this way, because it is flexible.
You never know when the customer or your company may expand. If they do,
simply create another OU for the new location.

Here's a basic visual of how GPOs work, and how it would flow downhill.
http://www.fekay.com/supportblogs/gpoflow.jpg

Design Considerations for Organizational Unit Structure and Use of Group Policy Objects
http://technet.microsoft.com/en-us/library/cc785903.aspx

TechNet Magazine: Group Policy
http://technet.microsoft.com/en-us/magazine/cc135925.aspx

Group Policy and Advanced Group Policy Management
http://technet.microsoft.com/en-us/windowsserver/grouppolicy /default.aspx

Win2k3 AD OU/GPO Design Discussion
http://www.tomshardware.com/forum/190896-46-win2k3-design-di scussion

AD Scalability and GPOs
http://technet.microsoft.com/en-us/library/cc756101.aspx
============================================================ ======
============================================================ ======

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Previous Topic:finally going native
Next Topic:Win2k3 patches failed - secpol wont let me modify privs
Goto Forum:
  


Current Time: Tue Jan 16 10:42:24 MST 2018

Total time taken to generate the page: 0.05195 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software