| Author | Messages | |
sbdcunha
Posts:52
 | | 03/31/2010 6:45 PM |
| Dear Guys
Thanks to you Rob for ur assistance.
Actually to be more explantory.
I have a created a domain user testuser123 with a password and joined one
xp pc ( machine name is sits ) to a my AD server with no problems and with
the same user (testuser123 i did go to one server and succesfully logged
in.
the local drives C , D , E was all avaliable
then i just did follow jonathan watts reply as below
---------------------
Hi Simon
Open the properties of the user account in AD, go to the Account tab and
click the "Log on to" button. You can restrict what machines a user can
log on to from there.
Jon
-------------------
and then when i try to log in as domain user testuser123 onto the domain
i get the following message
your user account is configured to prevent you from using this computer
pls try another computer
but when i try to logon the domain from the sits xp PC i can login
succesfully.
which is just perfect exactly what i would want
thank you jonathan for this
but i just would like to know if it can be done via a GPO since i have to
do this indiviually for every user.
apprecite your help with some example and details
by the way Rob im a indian working in Kuwait
Regards and Thanks
simon
> Glad I could assist
>
> Just make the members of the SW Dev guys a member of the local
> Administrators group of the servers they are responsible for. Do this on
> each respective server. It's in Admin Tools > Computer Mgmt > Groups.
> Other users will not be able to logon unless you have done something a bit
> obscure.
>
> Tomorrow, please verify that a standard user CANNOT log onto your servers.
> If they can, then we need to look at why they can.
>
> No worries about your limitations on AD based on your Linux background.
> You will see the light soon 
>
> Regards,
> Rob
>
> ________________________________________
> From: activedir-owner@mail.activedir.org
> [activedir-owner@mail.activedir.org] on behalf of Benedict simon
> [simon@kmun.gov.kw]
> Sent: 30 March 2010 20:05
> To: activedir@mail.activedir.org
> Subject: RE: Thanks RE: [ActiveDir] restrict user to log only to his
> workstation
>
> Thanks Rob and you guys,
>
> really apprecite your wise answers
> by the way u r right rob i havent tested it on servers but just checked it
> out on some client xp machines.
> Actually one of the software developer just fired me with this qestion and
> scared me out so i was googling on net tryin to find some solution but
> could not really come up with somethin.
>
> actually down here the servers are indiviually managed by the software
> developers and i could not test them loggin in individually
> but tomorrow i will
>
> I dont have any custom GPOs.
>
> Btw actually my knowledge in AD is quite limited. since Im Linux admin.
> sorry for asking some basic stuff
>
> regards
>
> simon
>
>
>
>
>
>> Hi Simon
>>
>> I haven't been to Kuwait in 7 years but really enjoyed my short 2 week
>> stay there in the past.
>>
>> I am having some difficulty understanding the question.
>>
>> However, your standard users sould not be permitted to log onto the
>> Servers. Have you tested this, or are you assuming that they can indeed
>> logon to the servers?
>>
>> If they can, have you created any custom GPOs. Have you added your
>> users
>> to the domain admins group etc.
>>
>> Regards,
>> Rob
>> http://robsilver.org
>>
>> ________________________________________
>> From: activedir-owner@mail.activedir.org
>> [activedir-owner@mail.activedir.org] on behalf of Greg Owens
>> [GOwens@advocatesinc.org]
>> Sent: 30 March 2010 17:26
>> To: activedir@mail.activedir.org
>> Subject: RE: Thanks RE: [ActiveDir] restrict user to log only to his
>> workstation
>>
>> "Allow Log on locally" and "allow log on through Remote Desktop
>> Services" via User Rights Assignments is another option. 2 GPO's, 1 for
>> each machine OU, with the appropriate groups allowed.
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ruston, Neil
>> Sent: Tuesday, March 30, 2010 11:06 AM
>> To: activedir@mail.activedir.org
>> Subject: RE: Thanks RE: [ActiveDir] restrict user to log only to his
>> workstation
>>
>> Aha - requirements have changed already!
>>
>> How about Restricted Groups deployed via GPO to each OU in question?
>>
>>
>> neil
>>
>>
>> -----Original Message-----
>> From: activedir-owner@mail.activedir.org
>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Benedict simon
>> Sent: 30 March 2010 15:49
>> To: activedir@mail.activedir.org
>> Subject: Thanks RE: [ActiveDir] restrict user to log only to his
>> workstation
>>
>> Thanks guys for the reply really apprecite
>> but was jus wondering if similar thing could be achieved via a GPO
>> cause in such case i could apply the gpo to a OU where all the users are
>> there instead of individually changing for each user
>>
>>
>> thnaks and reagrds
>>
>> simon
>>
>>
>>
>>
>>> Hi Simon
>>> Open the properties of the user account in AD, go to the Account tab
>> and
>>> click the "Log on to" button. You can restrict what machines a user
>> can
>>> log on to from there.
>>> Jon
>>>
>>> -----Original Message-----
>>> From: activedir-owner@mail.activedir.org
>>> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Benedict
>> simon
>>> Sent: 30 March 2010 13:15
>>> To: activedir@mail.activedir.org
>>> Subject: [ActiveDir] restrict user to log only to his workstation
>>>
>>>
>>> Dear All,
>>>
>>> I need my domain user to only log on from his workstation only and not
>>> to logon with the same domain user ID and password from other client
>> pcs
>>>
>>> I will explain this
>>>
>>> i have newly implemented a win2003 ADS with wsus and I am joining
>>> clients computers to this AD server
>>>
>>> Right now i have 3 new OUs created apart from the default OUs
>>>
>>> pcusers
>>> it-pcusers
>>> servers
>>>
>>> now the pcusers,OU has all client computers and the it-pcusers, OU has
>>> the domain users
>>>
>>> the servers,OU has the it dept server computers that i have joined to
>>> the domain the it-pcusers,OU and the servers,OU has different Windows
>>> UPdate policies and everything is working fine
>>>
>>> now since the servers have the AD server any domain User could walk up
>>> to any of the live servers and logon the AD server with his domain
>> user
>>> account and password and get access to the data.
>>>
>>> since theservers have live data and applications running no domain
>> user
>>> should be allowed to log on to the servers. only the local
>> administrator
>>> and the domain administrator should be able to log in from any of the
>>> servers
>>>
>>> so basically i would want the domain users i have created to be
>>> restricted to be able to log onto the domain from his workstation
>> only
>>> or better from any computer which is in the same OU only In my case
>> any
>>> computers from the pcusers OU only
>>>
>>> apprecite your kind help and advice with steps.
>>>
>>> i am new to AD policies
>>>
>>>
>>> Regards
>>>
>>> simon
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> Network ADMIN
>>> -------------
>>> KUWAIT MUNICIPALITY:
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>>
>>>
>>>
>> ________________________________________________________________________
>>> St Catherine's School
>>> Registered Office: Station Road, Bramley, Guildford, Surrey GU5 0DF.
>>> Registered in England No. 3596520. Registered Charity No. 1070858
>>> A company limited by Guarantee.
>>>
>>> This e-mail has been scanned for all viruses by Star. The service is
>>> powered by MessageLabs.
>>>
>> ________________________________________________________________________
>>>
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>>
>>
>>
>> --
>> Network ADMIN
>> -------------
>> KUWAIT MUNICIPALITY:
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>>
>> ========================================================================
>> =======
>> Please access the attached hyperlink for an important electronic
>> communications disclaimer:
>> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
>>
>> ========================================================================
>> =======
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
>
> --
> Network ADMIN
> -------------
> KUWAIT MUNICIPALITY:
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
Network ADMIN
-------------
KUWAIT MUNICIPALITY:
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
| | | |
|
|