+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Thread, Deny Login to Machines to all except certain OUs in Technical; I'm trying to find a way of blocking all users from logging onto domain computers unless that have been added ...
  1. #1
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    455
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17

    Deny Login to Machines to all except certain OUs

    I'm trying to find a way of blocking all users from logging onto domain computers unless that have been added as an admin/power user/guest/user etc...

    At the moment, anybody with an account can log onto which ever computers they feel like, and I've discovered that alot of kids and certain staff often go into the library and use the librarians computer when she's not there.
    What I'd like to do is create an OU and add the 3 ladies who work in the Library on different days, and deny anybody from logging onto that machine except members of that library OU.

    Any suggestions would be greatly appreciated!

  2. #2

    Join Date
    Nov 2006
    Location
    Reading, UK
    Posts
    487
    Thank Post
    30
    Thanked 14 Times in 8 Posts
    Rep Power
    19
    Do you have W2K3 network?

    If so, using AD is one way, using Account > Log on to. This is tidious to setup though.

    I prefer to use Windows Security Groups and add members in that I wish to be able to use the machine(s). Then it is a matter of assigning in Computer Management.

    Furthermore, if it's only one or two machines you could simply edit the User section of Local Users and Groups, remove the 'Domain Users' and such like, add only the required staff and everyone else will recieve a 'You cannot logon interactively' message, or something similar.
    Last edited by plock; 16th January 2008 at 01:28 PM.

  3. #3
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    455
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    I tried removing the "Domain Users" from "Users" under "Local Users & Groups" and yet all accounts still seem to be able to log on...

    That is the way I had hoped to do it, are there any other accounts I need to remove?

  4. #4
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    455
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    How and Where to I configure the Windows Security Groups?

  5. #5
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,484
    Thank Post
    10
    Thanked 502 Times in 442 Posts
    Rep Power
    114
    You can stop groups from logging into machines in a specific OU, not quite the way round you want it but it might work.

    In group policy there is a "Deny Logon Locally" option in the security settings. You can add groups to this to stop them logging on to the machine

    Edit: Fix setting name

  6. #6

    Join Date
    Nov 2006
    Location
    Reading, UK
    Posts
    487
    Thank Post
    30
    Thanked 14 Times in 8 Posts
    Rep Power
    19
    Under the 'Users' group in 'Local Users and Groups' remove the following, 'Domain Users', 'Authenticated Users' and 'Interactive'.

    Your setup may be different and include other groups. However, only you will know what your Security Groups/Users are doing in the 'Users' group.

  7. #7
    ArchersIT's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire
    Posts
    114
    Thank Post
    14
    Thanked 24 Times in 20 Posts
    Rep Power
    21
    Quote Originally Posted by Nick_Parker View Post
    I'm trying to find a way of blocking all users from logging onto domain computers unless that have been added as an admin/power user/guest/user etc...
    <snip>
    Any suggestions would be greatly appreciated!
    Group policy allow you to set a machine setting that will block log on locally rights to certain security groups.

    It is in Windows Settings/Security Settings/Local Policies/User Rights Assignmebt and is called "Deny log on locally". We have this set to deny access by students to certain computers.

    Hope this helps.

    Jonathan

  8. #8

    Join Date
    Nov 2006
    Location
    Reading, UK
    Posts
    487
    Thank Post
    30
    Thanked 14 Times in 8 Posts
    Rep Power
    19
    @ ArchersIT - I use this method also. I prefer this as you can use Windows Security Groups.

  9. #9
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    455
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Thanks guys, I'll go give it a try now....

    My issue with using the "Deny Logon Locally" is that I don't want to deny certain OUs, I want to deny everyone EXCEPT certain OUs

  10. #10

    Join Date
    Nov 2006
    Location
    Reading, UK
    Posts
    487
    Thank Post
    30
    Thanked 14 Times in 8 Posts
    Rep Power
    19
    No, Deny Logon Locally doesn't Deny or Allow OU's. This works on Users or Security Groups. In this case it will Deny Logon Locally to certain Users/Security Groups that you specify.

  11. #11

    Join Date
    Apr 2007
    Posts
    33
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Why dont you disable all the accounts in the OU's that you dont want to logon?

  12. #12

    Join Date
    Nov 2006
    Location
    Reading, UK
    Posts
    487
    Thank Post
    30
    Thanked 14 Times in 8 Posts
    Rep Power
    19
    @ frankybaloney - ?? - He is still going to require them to login to other resource around site?

    Disabling the computer/user accounts will lock the resource/user out of the network altogether?

  13. #13
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    455
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Thanks guys, sorted

  14. #14
    Nick_Parker's Avatar
    Join Date
    Jan 2008
    Location
    Dainfern, South Africa
    Posts
    455
    Thank Post
    100
    Thanked 18 Times in 13 Posts
    Rep Power
    17
    Incase anybody is interested:

    I remove the

    "Domain Users", "Interactive User" & "Authenticated Users" accounts from under the 'Users' Groupd in Local Users & Groups

    then Add the OU that I want to be able to access that computer under Power Users.

    thanks to everybody for your help & suggestions!

  15. #15

    Join Date
    Nov 2006
    Location
    Reading, UK
    Posts
    487
    Thank Post
    30
    Thanked 14 Times in 8 Posts
    Rep Power
    19
    You're most welcome!

    Glad you managed to sort it.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Virtual Machines
    By FN-GM in forum *nix
    Replies: 4
    Last Post: 4th October 2007, 06:55 PM
  2. Ranger Deny Local Logons
    By _Bob_ in forum Network and Classroom Management
    Replies: 6
    Last Post: 23rd June 2007, 02:17 PM
  3. RM machines
    By witch in forum Hardware
    Replies: 11
    Last Post: 14th June 2006, 11:25 AM
  4. Replies: 3
    Last Post: 16th February 2006, 12:36 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •