+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Disabling Students from logging onto Computers in unsupervised areas in Technical; I want to stop users from logging onto certain machines that are in places where they are unsupervised, I have ...
  1. #1

    Join Date
    Feb 2008
    Posts
    79
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Disabling Students from logging onto Computers in unsupervised areas

    I want to stop users from logging onto certain machines that are in places where they are unsupervised, I have disabled the machine accounts in Active Directory but users are still able to logon to the machines.

    What is the best way to do this or what is going on why disabling the computer accounts hasn't worked.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    In group policy under local settigns you can restric it so a particular group cant logon?

    Do you want the students not to be able to logon at all?

  3. #3

    Join Date
    Feb 2008
    Posts
    79
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Many Thanks we don't want the students logging onto the computers at all.

  4. #4
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    30
    Do you not want them logging into these machines at all ever (i.e. admin machines) or are they student machines that simply need to be "out of bounds" whilst they are unsupervised?

  5. #5

    Join Date
    Feb 2008
    Posts
    79
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    They need to be disabled for ever untill further notice, and switched back on when when need be.

  6. #6
    SC-UK's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    569
    Thank Post
    36
    Thanked 85 Times in 71 Posts
    Rep Power
    30
    In that case as FN-GM suggests, add the students group in GP to the option that prevents them logging into machines in a particular OU.

    See here - hoping somebody will be able to clarify for me exactly what the setting is called and where abouts it is! Teachers computers

    Tom

  7. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    I have disabled the machine accounts in Active Directory but users are still able to logon to the machines
    There's something not right there. That should stop anyone logging onto the machines.

    Other than this (and Active Directory is a bit weak here), highlight a selection of pupils, right click > Properties. Choose the 'Account' tab and tick to enable Computer Restrictions. Click the 'Log On To' button, select 'The following computers' and only type in the machines you want pupils to logon to. This could be a long job if you have hundreds of machines unfortunately.

  8. #8

    mac_shinobi's Avatar
    Join Date
    Aug 2005
    Posts
    10,053
    Thank Post
    3,585
    Thanked 1,123 Times in 1,025 Posts
    Rep Power
    377
    so its not possible to drag and drop those computers into a selected OU and restrict a list of users logging into those computers ?

  9. #9
    MicrodigitUK's Avatar
    Join Date
    May 2007
    Location
    Wiltshire
    Posts
    340
    Thank Post
    38
    Thanked 56 Times in 52 Posts
    Rep Power
    25
    Quote Originally Posted by mac_shinobi View Post
    so its not possible to drag and drop those computers into a selected OU and restrict a list of users logging into those computers ?
    I have it working on my site with an OU that stops any member of the Students group login on. I also do the same to individual workstations in other OUs. To do these apply GPOs by Security group membership of the workstation and then just make the teaching computer a member of that group (allowed to apply the GPO that stop student logon).

  10. #10

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Quote Originally Posted by mac_shinobi View Post
    so its not possible to drag and drop those computers into a selected OU and restrict a list of users logging into those computers ?
    Its easy to just have a permit list of users or groups instead:

    Quote Originally Posted by SYNACK View Post
    There is a way to do this that will allow you to just let the teachers on and block everyone else without needing to specify each group individually.

    Make sure you have a security group with your teachers in it. Then chuck the machine into its own OU under where it is at the moment in AD and add a new group policy object to that OU. Inside that group policy you want to go to:

    Computer Configuration> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Log on locally

    Then remove the Users group and the add the group that you created earlier. This will let your two teacher log on and also allow administrators to in case they/you need to fix something.

    Have this setup in our school office to stop teachers messing with the reception computers.

    Adapted from: restricting who can log on to a certain machine

  11. #11
    MicrodigitUK's Avatar
    Join Date
    May 2007
    Location
    Wiltshire
    Posts
    340
    Thank Post
    38
    Thanked 56 Times in 52 Posts
    Rep Power
    25
    I made a new GPO called “No Students Logon” under the “MainSite” container(OU).

    In the “No Students Logon” GPO properties tick the box for “disable the User Configuration settings” for minor efficiency.

    Made a new security group “No Students Logon” in “Sheldon.internal” and ensured that the only group that can apply the “No Students Logon” GPO is “ProjectorsGroup”.

    Edited the “No Students Logon” policy go to "Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny Logon Local", enable that setting and only add the existing "Students" group.

    And for each computer that students are NOT allowed to log onto, in active directory I went to the computers “properties” and to the “member of” tab adding “ProjectorsGroup” and that should ban all students from that computer.



SHARE:
+ Post New Thread

Similar Threads

  1. disabling pupils from locking computers
    By peterpan in forum Network and Classroom Management
    Replies: 9
    Last Post: 27th January 2009, 05:46 PM
  2. Logging on multiple computers.
    By gwendes in forum Network and Classroom Management
    Replies: 20
    Last Post: 13th November 2007, 12:56 AM
  3. Replies: 11
    Last Post: 16th October 2007, 03:37 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •