Client Access Rights

Discussion in 'MCSE' started by Blaze, Feb 22, 2005.

  1. Blaze

    Blaze Guest

    Hi

    How can I restrict a Domain User Group from access ing a range of client
    PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
    Blaze, Feb 22, 2005
    #1
    1. Advertising

  2. It is part of the individual user accounts, where you set which machines
    they are allowed to log into. I don't think it can be done by "groups".


    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


    "Blaze" <> wrote in message
    news:h0PSd.51$...
    > Hi
    >
    > How can I restrict a Domain User Group from access ing a range of client
    > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
    >
    >
    Phillip Windell, Feb 22, 2005
    #2
    1. Advertising

  3. You can use Group Policy to do such. For instance place a group of computer
    accounts in an Organizational Unit. Then create a Group Policy for that OU
    and add the global group you want to restrict to the deny logon locally or
    deny access this computer from the network user right in computer
    configuration/Windows settings/security settings/local policies/user rights.
    Note that while this will work in general, ultimately you can not restrict a
    domain admin that does not want to be restricted as they always have the
    power to undo settings that restrict them. To do such you really need to use
    separate domains or better yet separate forests. You still can connect
    forests and/or domains with trusts. --- Steve


    "Blaze" <> wrote in message
    news:h0PSd.51$...
    > Hi
    >
    > How can I restrict a Domain User Group from access ing a range of client
    > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
    >
    Steven L Umbach, Feb 23, 2005
    #3
  4. Blaze,

    You can do this with Group Policy. Make a container in AD which contais all
    the COMPUTERS (not users) in the admin and sales dept. Create a group policy
    and, in it, go to COMPUTER CONFIGURATION > ADMINISTRATIVE TEMPLATES > SYSTEM
    > LOGON. Now find the rule called "Only allow local user profiles" and enable

    it. Now apply this policy to the container you made containing the computers
    you want this enforced on. You will have to go to the individual computers
    and delete the accounts off of them that you dont want logged on. The reason
    for this is, when a roaming user logs into a network machine, windows
    automatically downloads that user into the local profiles. Once the machine
    policy is set, they wont be able to do this, and the oly way for a differnt
    user to log in is if the Network Admin (You) installs that account on the
    local machine using the administrive computer account. Hope this helps. Using
    Group Policy for the first time always takes some experimentation.

    "Blaze" wrote:

    > Hi
    >
    > How can I restrict a Domain User Group from access ing a range of client
    > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
    >
    >
    >
    =?Utf-8?B?U2NvdHQgRm9yZA==?=, Feb 23, 2005
    #4
  5. Blaze

    Kurt Guest

    This would only be a problem if the users in question had domain admin
    rights. I think you've hit the solution on the head. If the OPs users are
    all domain admins, there's little hope for any kind of security..


    ...kurt

    "Steven L Umbach" <> wrote in message
    news:...
    > You can use Group Policy to do such. For instance place a group of

    computer
    > accounts in an Organizational Unit. Then create a Group Policy for that OU
    > and add the global group you want to restrict to the deny logon locally or
    > deny access this computer from the network user right in computer
    > configuration/Windows settings/security settings/local policies/user

    rights.
    > Note that while this will work in general, ultimately you can not restrict

    a
    > domain admin that does not want to be restricted as they always have the
    > power to undo settings that restrict them. To do such you really need to

    use
    > separate domains or better yet separate forests. You still can connect
    > forests and/or domains with trusts. --- Steve
    >
    >
    > "Blaze" <> wrote in message
    > news:h0PSd.51$...
    > > Hi
    > >
    > > How can I restrict a Domain User Group from access ing a range of client
    > > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
    > >

    >
    >
    Kurt, Feb 23, 2005
    #5
  6. Blaze

    Blaze Guest

    Thanks Guys :)


    "Kurt" <> wrote in message
    news:...
    >
    > This would only be a problem if the users in question had domain admin
    > rights. I think you've hit the solution on the head. If the OPs users are
    > all domain admins, there's little hope for any kind of security..
    >
    >
    > ..kurt
    >
    > "Steven L Umbach" <> wrote in message
    > news:...
    >> You can use Group Policy to do such. For instance place a group of

    > computer
    >> accounts in an Organizational Unit. Then create a Group Policy for that
    >> OU
    >> and add the global group you want to restrict to the deny logon locally
    >> or
    >> deny access this computer from the network user right in computer
    >> configuration/Windows settings/security settings/local policies/user

    > rights.
    >> Note that while this will work in general, ultimately you can not
    >> restrict

    > a
    >> domain admin that does not want to be restricted as they always have the
    >> power to undo settings that restrict them. To do such you really need to

    > use
    >> separate domains or better yet separate forests. You still can connect
    >> forests and/or domains with trusts. --- Steve
    >>
    >>
    >> "Blaze" <> wrote in message
    >> news:h0PSd.51$...
    >> > Hi
    >> >
    >> > How can I restrict a Domain User Group from access ing a range of
    >> > client
    >> > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
    >> >

    >>
    >>

    >
    >
    Blaze, Feb 25, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. A. Fischer
    Replies:
    1
    Views:
    505
    Walter Roberson
    Nov 13, 2003
  2. SwingingSi

    Update for Windows Rights Management client 1.0

    SwingingSi, Dec 1, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    429
    SwingingSi
    Dec 1, 2003
  3. kalpesh
    Replies:
    3
    Views:
    1,687
    Tony Sperling
    Jul 5, 2007
  4. Bryan McNally

    Access rights in XP

    Bryan McNally, Aug 13, 2003, in forum: NZ Computing
    Replies:
    1
    Views:
    352
    SNOman
    Aug 13, 2003
  5. Phil Smith
    Replies:
    3
    Views:
    1,704
    Phil Smith
    Mar 18, 2010
Loading...

Share This Page