I have a very simple question but i cant seem to figure it out.

I want to use group policy to apply to a group of users so they can only
login to a group of computers.

I have a small group of computers that i only want one group of users to be
able to login and keep other domain users off the machines.

aka accounting users...to be able to login to accounting machines only
Nobody else should be able to login
Accounting users shouldnt be able to login to other machines as well.

WHat is the best way to do this? I cant seem to find a solution and it seems
like an easy thing to do.

florian frommherz [mvp]

Howdie!

scale schrieb:


Two steps here: Group those machines that shall only allow logins from a
certain group into a OU and apply the following policy:

CompConf\Windows Settings\Security Settings\Local Policies\User Rights
Assignment - "Allow Log on locally".

This lists the users and group allowed to log on locally at the
machines. Add your group in there and wipe all other users out (but
leave your Admins group in there in order to not lock yourself out).

Second: get your accounting users and modify their "Log on to" attribute
through Active Directory Users and Computers Properties.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.

Thank you Florian!

I knew it was simple.

will i have to go in and change local policy on each machine to remove the
existing accounts?
I assume group policy will override anything in local policy and not "merge"
with local policy correct?

Right now my GPO limits log on locally to administrators / domain admins and
the accounting group. Will this over ride the local policy on each machine
limiting the logins to just these 3 specific user objects or will it merge
with the default local policy for log on locally?

g johansson

A GPO created in the domain always overwrites local GPO.

--
Regards G Johansson
fantomen@NOSPAM.GPfaq.se
http://GPfaq.se

florian frommherz [mvp]

Howdie!

scale schrieb:

It (the AD-policy) will definately overwrite the local policy. It the
principle that you, as the Active Directory Group Policy Administrator
should have more "power" than local administrators and therefore
"replace" settings made locally.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.