+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Windows 8 Thread, Disable logon for group but allow login for one user in that group in Technical; Hello, We have a number of Staff laptops. Each have been assigned to an individual member of staff. What we ...
  1. #1

    Join Date
    Nov 2010
    Location
    Birmingham
    Posts
    88
    Thank Post
    13
    Thanked 10 Times in 9 Posts
    Rep Power
    10

    Unhappy Disable logon for group but allow login for one user in that group

    Hello,

    We have a number of Staff laptops. Each have been assigned to an individual member of staff. What we want to do its limit who can log into the laptop. all member of staff belong to the same security group e.g. AllStaff. is it possible to limit this group for loggin into the laptop but allow one user in that group (the user who the laptop is assigned to) to be able to log in.

    I think that makes sense

    Thank you,
    William

  2. #2
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,291
    Thank Post
    219
    Thanked 238 Times in 206 Posts
    Rep Power
    76
    In Active Directory, in the properties for each user you can go to the "Account" tab and then the "Log On To" button and manually specify a machine name that the user can log onto? It would mean assigning each staff member to their own machine name...

    You could combine this with the GPO setting: Computer Config --> Policies --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Deny Logon Locally and set it to exclude students

  3. #3
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    524
    Thank Post
    98
    Thanked 92 Times in 74 Posts
    Rep Power
    35
    Quote Originally Posted by themightymrp View Post
    In Active Directory, in the properties for each user you can go to the "Account" tab and then the "Log On To" button and manually specify a machine name that the user can log onto? It would mean assigning each staff member to their own machine name...
    Wouldn't you have to manually add every other machine in school that you want them to be able to log on to then?

  4. #4

    Join Date
    Nov 2010
    Location
    Birmingham
    Posts
    88
    Thank Post
    13
    Thanked 10 Times in 9 Posts
    Rep Power
    10
    Quote Originally Posted by RichCowell View Post
    Wouldn't you have to manually add every other machine in school that you want them to be able to log on to then?
    I should say that we have teacher desktops in each room so the method mentioned about would not be feasible. Would take too much effort to set up every computer with access.

    Thank you,
    William

  5. #5
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,291
    Thank Post
    219
    Thanked 238 Times in 206 Posts
    Rep Power
    76
    Yep, I agree its not the best idea. But if staff have their own laptop, would they need to log onto anything else?

  6. #6

    Join Date
    Nov 2010
    Location
    Birmingham
    Posts
    88
    Thank Post
    13
    Thanked 10 Times in 9 Posts
    Rep Power
    10
    Quote Originally Posted by themightymrp View Post
    ... But if staff have their own laptop, would they need to log onto anything else?
    We have had a number of issues of staff sharing laptops and if something is damaged its the assigned who will take responsibility but a lot dispute due to sharing.

    Thank you,

  7. #7


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    7,058
    Thank Post
    232
    Thanked 924 Times in 793 Posts
    Rep Power
    308
    you cant use the staff group as a deny will always beat an allow so unless you add them all manually to each laptop i cant see a way to do it (you might make it a bit easier by adding staff to smaller groups say y1/y2/english etc you could then bulk block most staff and just individually block those in the same dept but it sounds like a lot of work.

    as to other pcs no just put all laptops in an ou and only apply the policy to those pcs (or add pcs to a group and filter it)

    Might be easier to sidestep it if they support bitlocker force an individual pin code on everyone then while ever the laptop isnt on they shouldnt know the code to even fire it up

  8. #8
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    524
    Thank Post
    98
    Thanked 92 Times in 74 Posts
    Rep Power
    35
    Sounds like it's going to be a nightmare to manage with any option this way... You're bound to get loads of requests to let other staff log on to their laptops - when others forget their laptops...

    If they're staff laptops - surely they're responsible enough to look after their own laptops and not let other people log onto them...

  9. #9
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,291
    Thank Post
    219
    Thanked 238 Times in 206 Posts
    Rep Power
    76
    Quote Originally Posted by RichCowell View Post

    If they're staff laptops - surely they're responsible enough to look after their own laptops and not let other people log onto them...
    HAHAHAHAH!!!!

  10. Thanks to themightymrp from:

    william_tropico (9th June 2014)

  11. #10
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    524
    Thank Post
    98
    Thanked 92 Times in 74 Posts
    Rep Power
    35
    Quote Originally Posted by themightymrp View Post
    HAHAHAHAH!!!!
    haha maybe not then... They wouldn't dare here

  12. #11
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,291
    Thank Post
    219
    Thanked 238 Times in 206 Posts
    Rep Power
    76
    You're best bet is to use the GPO option I mentioned above on the OU containing staff laptops. Just deny students the option to log onto the staff laptops. Trying to narrow it down to individuals is going to get too fussy. You could write a complex logon script which checks username against computer name but again it would take too long

  13. #12
    RichCowell's Avatar
    Join Date
    Dec 2005
    Location
    PR7, Lancashire
    Posts
    524
    Thank Post
    98
    Thanked 92 Times in 74 Posts
    Rep Power
    35
    Quote Originally Posted by themightymrp View Post
    You're best bet is to use the GPO option I mentioned above on the OU containing staff laptops. Just deny students the option to log onto the staff laptops. Trying to narrow it down to individuals is going to get too fussy. You could write a complex logon script which checks username against computer name but again it would take too long
    Agreed about it being too fussy...

    I added something to the login script at my last school that stopped students logging on to staff machines by checking to see if the username began with a 00/01/02 etc. then logged them off automatically... worked really well, but not had chance to faff about and do the same thing here (after nearly 7 years! lol) Once you'd got it right though, that would be far easier to manage than the GPO I would imagine... either way you'd need one GPO or script per member of staff...

  14. #13


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    7,058
    Thank Post
    232
    Thanked 924 Times in 793 Posts
    Rep Power
    308
    Quote Originally Posted by RichCowell View Post
    Agreed about it being too fussy...

    I added something to the login script at my last school that stopped students logging on to staff machines by checking to see if the username began with a 00/01/02 etc. then logged them off automatically... worked really well, but not had chance to faff about and do the same thing here (after nearly 7 years! lol) Once you'd got it right though, that would be far easier to manage than the GPO I would imagine... either way you'd need one GPO or script per member of staff...
    scripting with powershell i supose you could get it to query ad for all staff individually add them all to the block list then have a text file called laptop06 or whatever with the allowed user in and get it to then remove the deny for that user but again it sounds like a lot of work

  15. #14

    Join Date
    Nov 2010
    Location
    Birmingham
    Posts
    88
    Thank Post
    13
    Thanked 10 Times in 9 Posts
    Rep Power
    10
    Quote Originally Posted by RichCowell View Post
    If they're staff laptops - surely they're responsible enough to look after their own laptops and not let other people log onto them...
    HAHA I wish!

    Maybe the best we can do it limit logon to teachers only (stop the students anyway).

    I will see what powershell can do for us.

    Thanks for all the replies though.

    William

  16. #15
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,291
    Thank Post
    219
    Thanked 238 Times in 206 Posts
    Rep Power
    76
    I think @sted is on the right lines with breaking things into smaller groups. Split you staff laptops OU into departments, and split your member of staff into departments. Then you could just allow Maths teachers to log onto Maths laptops. The admin side of doing this is not massive and at least you can narrow down the culprits a little better.

    You could still deny student logons overall to the staff laptops using the GPO mentioned at the beginning



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Block vbs cmd but allow login scripts etc
    By itgeek in forum Windows
    Replies: 7
    Last Post: 1st April 2014, 05:07 PM
  2. IE group policy not working for some users in same groups?
    By reggiep in forum Windows Server 2008 R2
    Replies: 2
    Last Post: 23rd September 2013, 02:00 PM
  3. Replies: 2
    Last Post: 22nd October 2012, 02:19 PM
  4. Replies: 2
    Last Post: 1st July 2009, 11:46 AM
  5. Replies: 1
    Last Post: 7th September 2007, 03:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •