|
Posted by =?Utf-8?B?SGFydmV5?= on October 17, 2006, 11:33 am
If you were Registered and logged in, you could reply and use other advanced thread options
Harvey
"Roger Abell [MVP]" wrote:
> The most simple and direct way to do this is to take control over either
> the user right to Log on locally, or, the membership of the Users group,
> on each machine. You can do either using a GPO linked to the OU that
> contains the affected machines (in your case you may want to consider
> a minor reorganization so that there is an OU for computers of each lab,
> likely as a subOU within the current OU)
> You need to be very careful that Authenticated Users and/or Domain
> Users are not granted the local login user right, either directly or via
> membership in Users (if Users is given that user right)
> --
> Roger Abell
> Microsoft MVP (Windows Server : Security)
>
> > We have a Win 2003 domain that has several OUs. Each OU has several
> > user-groups for different Labs -- for security issues, e.g. file sharing,
> > printer sharing etc. Currently, all users in a OU can login to any
> > computer
> > that
> > belongs to that OU (not neccessary in the same Lab). Now, a director of a
> > lab
> > asks me if there is a way to allow only users in his lab be able to log in
> > to his lab's computers. That is only one group of users can log in some
> > computers, but other user-groups cannot log in those computers even they
> > are
> > in the same OU. Is it possible to do this? How to do it?
> >
> > Any help or link is greatly appreciated!
> >
> > Harvey
> >
>
>
>
| 
XML site map