Disable network logon for a Security Group or an OU

[mrforgetful]

Hi,

I'm trying to set it up so teachers can disable kids from the internet and/or network.
I've created a custom MMC with access to only one OU, in this OU there are two User Security Groups.
One to disable the users Internet, and one to disable the User from logging onto the network.

Disabling the Internet is easy enough I can just add the group to the Disabled Users group in ISA.

I can not see any way though to be able to set it so anyone that's a member of a Security Group in AD will be disabled. Any ideas?

Thanks.

[ChrisH]

I may be reading your post wrong but dont you say in the first part that you can disable a group by adding it to the disabled users group?

[Ric_]

You can use the delegation wizard to allow a security group to disable user accounts but IIRC there is no way to disable a security group.

[mrforgetful]

It's me not explaining things proper.

I can disable an group of users in Active Directory from the Internet by adding an Active Directory Security Group to a group in ISA that's disabled. (Basically I can do the Internet blocking, that's sorted)

I can't see any way of stopping anyone who's a member of a certain goup in Active Directory from being able to log onto the Domain.

[ChrisH]

How about in a high level GPO Local Policies > User right Assignment > Deny logon locally and add the group. Not sure if that will work but sounds about the right thing.

[Ric_]

I can't see any way of stopping anyone who's a member of a certain goup in Active Directory from being able to log onto the Domain.

I don't think that this is possible. You would need to disable the individual user accounts.... maybe a script that examined the group membership and diabled the account if a cewrtain group existed?

[NetworkGeezer]

No, Chris is right. If you make a GPO with the Deny Local Login permission applied to the desired group. Attach the GPO to the OU/OUs containing client PCs. To ban logons all you would have to do is change group membership.

You could always just change the password or get an ASBO maybe

[mrforgetful]

Ric_: Your method would work yes, but I didn't really want to do it this way, wanted to keep it simple!

CrisH: I'd have thought this would just stop the user logging onto the actual Computer, not the Domain itself, will try it in a bit though.

Ric_ (again): I think you're right, I'm not going to be able to do it a simple way.

I think I'll just leave the idea, it's probably a bad one anyway, I'd end up having a teacher take a student off the network and then another put them back straight away for their lesson.

Best leave the security and disciplinary actions in my hands

[SteveT]

I'd end up having a teacher take a student off the network and then another put them back straight away for their lesson.

.... instead of the teacher letting the student log-on to their teacher account because "it`s essential they have access this lesson to do research for coursework!"

[NetworkGeezer]

CrisH: I'd have thought this would just stop the user logging onto the actual Computer, not the Domain itself, will try it in a bit though.

What is domain if not a collection of computers. You should also use the Deny Network Login and Deny Login as a service.

Also I wonder whether it is possible to delegate the disabling of accounts in user properites of ADUC.

Anyway, I guess you right domain wide powers should remain with the Techs

[sahmeepee]

it depends what you're after really. If it's a sanction for a handful of kids in that OU and you're "brave" enough to let the chalkmongers have delegated control over the user accounts, can't you just tell them to disable the user accounts?

The only downsides I can see with that are:

It might screw up their ability to receive mail in exchange (?) if you use it
It's not immediately obvious which accounts have been disabled by a teacher and which were disabled anyway.

Amongst the many reasons I'd be wary of delegating that control to teachers is that you'd have a fun time keeping track of who disabled whom and why - you'd probably end up with a load of kids who couldn't log on and nobody would know why. The kids may well not be willing to tell you (if that means you have to put them back on).

If you're determined, I'd give it to them via a script interface that logs the teachers username and prompts them for a reason why and a date when the pupil should be reinstated. We got loads of requests for kids to be taken off inet/network/email, but they never remembered to get them put back on again, so we always ask how long they should be off for.