+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, Disable network logon for a Security Group or an OU in Technical; Hi, I'm trying to set it up so teachers can disable kids from the internet and/or network. I've created a ...
  1. #1
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,639
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Disable network logon for a Security Group or an OU

    Hi,

    I'm trying to set it up so teachers can disable kids from the internet and/or network.
    I've created a custom MMC with access to only one OU, in this OU there are two User Security Groups.
    One to disable the users Internet, and one to disable the User from logging onto the network.

    Disabling the Internet is easy enough I can just add the group to the Disabled Users group in ISA.

    I can not see any way though to be able to set it so anyone that's a member of a Security Group in AD will be disabled. Any ideas?

    Thanks.

  2. #2
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,988
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Disable network logon for a Security Group or an OU

    I may be reading your post wrong but dont you say in the first part that you can disable a group by adding it to the disabled users group?

  3. #3

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    182

    Re: Disable network logon for a Security Group or an OU

    You can use the delegation wizard to allow a security group to disable user accounts but IIRC there is no way to disable a security group.

  4. #4
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,639
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Re: Disable network logon for a Security Group or an OU

    It's me not explaining things proper.

    I can disable an group of users in Active Directory from the Internet by adding an Active Directory Security Group to a group in ISA that's disabled. (Basically I can do the Internet blocking, that's sorted)

    I can't see any way of stopping anyone who's a member of a certain goup in Active Directory from being able to log onto the Domain.

  5. #5
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,988
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    107

    Re: Disable network logon for a Security Group or an OU

    How about in a high level GPO Local Policies > User right Assignment > Deny logon locally and add the group. Not sure if that will work but sounds about the right thing.

  6. #6

    Ric_'s Avatar
    Join Date
    Jun 2005
    Location
    London
    Posts
    7,592
    Thank Post
    109
    Thanked 770 Times in 598 Posts
    Rep Power
    182

    Re: Disable network logon for a Security Group or an OU

    Quote Originally Posted by mrforgetful
    I can't see any way of stopping anyone who's a member of a certain goup in Active Directory from being able to log onto the Domain.
    I don't think that this is possible. You would need to disable the individual user accounts.... maybe a script that examined the group membership and diabled the account if a cewrtain group existed?

  7. #7

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Disable network logon for a Security Group or an OU

    No, Chris is right. If you make a GPO with the Deny Local Login permission applied to the desired group. Attach the GPO to the OU/OUs containing client PCs. To ban logons all you would have to do is change group membership.

    You could always just change the password or get an ASBO maybe

  8. #8
    mrforgetful's Avatar
    Join Date
    May 2006
    Posts
    1,639
    Thank Post
    7
    Thanked 15 Times in 15 Posts
    Rep Power
    22

    Re: Disable network logon for a Security Group or an OU

    Ric_: Your method would work yes, but I didn't really want to do it this way, wanted to keep it simple!

    CrisH: I'd have thought this would just stop the user logging onto the actual Computer, not the Domain itself, will try it in a bit though.

    Ric_ (again): I think you're right, I'm not going to be able to do it a simple way.

    I think I'll just leave the idea, it's probably a bad one anyway, I'd end up having a teacher take a student off the network and then another put them back straight away for their lesson.

    Best leave the security and disciplinary actions in my hands

  9. #9

    Join Date
    Jun 2005
    Location
    Kendal, Cumbria
    Posts
    605
    Thank Post
    57
    Thanked 67 Times in 44 Posts
    Rep Power
    40

    Re: Disable network logon for a Security Group or an OU

    Quote Originally Posted by mrforgetful
    I'd end up having a teacher take a student off the network and then another put them back straight away for their lesson.
    .... instead of the teacher letting the student log-on to their teacher account because "it`s essential they have access this lesson to do research for coursework!"

  10. #10

    Join Date
    Feb 2006
    Posts
    1,187
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Re: Disable network logon for a Security Group or an OU

    Quote Originally Posted by mrforgetful
    CrisH: I'd have thought this would just stop the user logging onto the actual Computer, not the Domain itself, will try it in a bit though.
    What is domain if not a collection of computers. You should also use the Deny Network Login and Deny Login as a service.

    Also I wonder whether it is possible to delegate the disabling of accounts in user properites of ADUC.

    Anyway, I guess you right domain wide powers should remain with the Techs

  11. #11
    sahmeepee's Avatar
    Join Date
    Oct 2005
    Location
    Greater Manchester
    Posts
    795
    Thank Post
    20
    Thanked 70 Times in 42 Posts
    Rep Power
    34

    Re: Disable network logon for a Security Group or an OU

    it depends what you're after really. If it's a sanction for a handful of kids in that OU and you're "brave" enough to let the chalkmongers have delegated control over the user accounts, can't you just tell them to disable the user accounts?

    The only downsides I can see with that are:

    It might screw up their ability to receive mail in exchange (?) if you use it
    It's not immediately obvious which accounts have been disabled by a teacher and which were disabled anyway.

    Amongst the many reasons I'd be wary of delegating that control to teachers is that you'd have a fun time keeping track of who disabled whom and why - you'd probably end up with a load of kids who couldn't log on and nobody would know why. The kids may well not be willing to tell you (if that means you have to put them back on).

    If you're determined, I'd give it to them via a script interface that logs the teachers username and prompts them for a reason why and a date when the pupil should be reinstated. We got loads of requests for kids to be taken off inet/network/email, but they never remembered to get them put back on again, so we always ask how long they should be off for.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 2
    Last Post: 27th January 2011, 12:06 PM
  2. Disable the autocorrect options in group policy
    By Liam in forum How do you do....it?
    Replies: 2
    Last Post: 24th October 2007, 12:49 PM
  3. Replies: 2
    Last Post: 5th September 2007, 11:04 AM
  4. Fix or disable XP Pro "logon to box" on 2003 Server network
    By tazz in forum How do you do....it?
    Replies: 2
    Last Post: 29th August 2007, 03:15 PM
  5. Disable logon access to a PC
    By RobJohnson in forum Network and Classroom Management
    Replies: 14
    Last Post: 18th May 2007, 12:30 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •