| Author | Messages | |
derek.rose
Posts:0
 | | 07/14/2010 2:42 PM |
| Hi List,
I'm implementing the computer logon restriction in AD with what the user can log on to by named computer. I wasn't able to find a way to restrict users from not using ANY computers. I know this would be rare - but we have some cases where AD objects exist because they need an Exchange Mailbox, or access to another network resource but not login to a PC. Across the board, would be nice to say they can't login anywhere. I was able to check the radio button to say "only the following computers" and leave the list blank, but that didn't seem to have the desired results.
Any similar scenarios or suggestions on how I could accomplish this?
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
| | | |
| bdesmond
Posts:977
| | 07/14/2010 2:46 PM |
| I'd suggest creating a group in AD called Deny Logon to Computers or something and then using GP at the top of your domain(s) to put that group in the Deny Logon Locally right. Put the relevant people in the group.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Derek Rose
Sent: Wednesday, July 14, 2010 6:58 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Computer Restriction Log On To..
Hi List,
I'm implementing the computer logon restriction in AD with what the user can log on to by named computer. I wasn't able to find a way to restrict users from not using ANY computers. I know this would be rare - but we have some cases where AD objects exist because they need an Exchange Mailbox, or access to another network resource but not login to a PC. Across the board, would be nice to say they can't login anywhere. I was able to check the radio button to say "only the following computers" and leave the list blank, but that didn't seem to have the desired results.
Any similar scenarios or suggestions on how I could accomplish this?
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
| | | |
| ClydeBurns
Posts:19
| | 07/16/2010 9:42 PM |
| We do that here for LDAP accounts we serve up to 3rd party applications just for the app's use.
A GPO at the top of the domain with 'Deny log on locally' and 'Deny log on through Terminal Services' tied to a global group. Works really well.
Clyde Burns
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, July 14, 2010 9:43 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Computer Restriction Log On To..
I'd suggest creating a group in AD called Deny Logon to Computers or something and then using GP at the top of your domain(s) to put that group in the Deny Logon Locally right. Put the relevant people in the group.
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Derek Rose
Sent: Wednesday, July 14, 2010 6:58 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Computer Restriction Log On To..
Hi List,
I'm implementing the computer logon restriction in AD with what the user can log on to by named computer. I wasn't able to find a way to restrict users from not using ANY computers. I know this would be rare - but we have some cases where AD objects exist because they need an Exchange Mailbox, or access to another network resource but not login to a PC. Across the board, would be nice to say they can't login anywhere. I was able to check the radio button to say "only the following computers" and leave the list blank, but that didn't seem to have the desired results.
Any similar scenarios or suggestions on how I could accomplish this?
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
-----------------------------------------
This message is confidential, intended only for the named
recipient(s) and may contain information that is privileged or
exempt from disclosure under applicable law. Any patient health
information must be delivered immediately to intended recipient(s).
If you are not the intended recipient(s), you are notified that the
dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail
address or telephone number above and discard this e-mail. Thank
you.
| | | |
| derek.rose
Posts:0
| | 07/17/2010 2:41 AM |
| Has anyone run into a problem using this, and then users not be able to get e-mail on their iPhones? I was thinking about throwing in the name of our Exchange server as a machine they are allowed to login to, but just wondering if this has happened to anyone else.
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Burns, Clyde R.
Sent: Friday, July 16, 2010 4:40 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Computer Restriction Log On To..
We do that here for LDAP accounts we serve up to 3rd party applications just for the app's use.
A GPO at the top of the domain with 'Deny log on locally' and 'Deny log on through Terminal Services' tied to a global group. Works really well.
Clyde Burns
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Wednesday, July 14, 2010 9:43 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Computer Restriction Log On To..
I'd suggest creating a group in AD called Deny Logon to Computers or something and then using GP at the top of your domain(s) to put that group in the Deny Logon Locally right. Put the relevant people in the group.
Thanks,
Brian Desmond
brian@briandesmond.com<mailto:brian@briandesmond.com>
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Derek Rose
Sent: Wednesday, July 14, 2010 6:58 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Computer Restriction Log On To..
Hi List,
I'm implementing the computer logon restriction in AD with what the user can log on to by named computer. I wasn't able to find a way to restrict users from not using ANY computers. I know this would be rare - but we have some cases where AD objects exist because they need an Exchange Mailbox, or access to another network resource but not login to a PC. Across the board, would be nice to say they can't login anywhere. I was able to check the radio button to say "only the following computers" and leave the list blank, but that didn't seem to have the desired results.
Any similar scenarios or suggestions on how I could accomplish this?
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
________________________________
This message is confidential, intended only for the named recipient(s) and may contain information that is privileged or exempt from disclosure under applicable law. Any patient health information must be delivered immediately to intended recipient(s). If you are not the intended recipient(s), you are notified that the dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and discard this e-mail. Thank you.
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
| | | |
| RickSheikh
Posts:373
| | 07/17/2010 3:55 AM |
| Never heard of users needing interactive access to Exchange servers
for their email access. The user level attribute restriction (as
mentioned in your original note) is something I am not a big fan of.
It can become a bit painful upon users migration to some other domain
at some point.
The ' deny logon via TS' thru GP has been by preferred method.
On 7/16/10, Derek Rose <Derek.Rose@sten-tel.com> wrote:
> Has anyone run into a problem using this, and then users not be able to get
> e-mail on their iPhones? I was thinking about throwing in the name of our
> Exchange server as a machine they are allowed to login to, but just
> wondering if this has happened to anyone else.
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Burns, Clyde R.
> Sent: Friday, July 16, 2010 4:40 PM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Computer Restriction Log On To..
>
> We do that here for LDAP accounts we serve up to 3rd party applications just
> for the app's use.
> A GPO at the top of the domain with 'Deny log on locally' and 'Deny log on
> through Terminal Services' tied to a global group. Works really well.
>
> Clyde Burns
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Brian Desmond
> Sent: Wednesday, July 14, 2010 9:43 AM
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Computer Restriction Log On To..
>
> I'd suggest creating a group in AD called Deny Logon to Computers or
> something and then using GP at the top of your domain(s) to put that group
> in the Deny Logon Locally right. Put the relevant people in the group.
>
> Thanks,
> Brian Desmond
> brian@briandesmond.com<mailto:brian@briandesmond.com>
>
> c - 312.731.3132
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Derek Rose
> Sent: Wednesday, July 14, 2010 6:58 AM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] Computer Restriction Log On To..
>
> Hi List,
>
> I'm implementing the computer logon restriction in AD with what the user can
> log on to by named computer. I wasn't able to find a way to restrict users
> from not using ANY computers. I know this would be rare - but we have some
> cases where AD objects exist because they need an Exchange Mailbox, or
> access to another network resource but not login to a PC. Across the board,
> would be nice to say they can't login anywhere. I was able to check the
> radio button to say "only the following computers" and leave the list blank,
> but that didn't seem to have the desired results.
>
> Any similar scenarios or suggestions on how I could accomplish this?
>
>
> ________________________________
> CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is
> covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521,
> and is intended only for the person or entity to which it is addressed and
> may contain confidential and/or privileged material. Any unauthorized
> review, use, disclosure, dissemination, copying, forwarding or distribution
> is prohibited. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message. If
> you are the intended recipient but do not wish to receive communication
> through this medium, please so advise the sender immediately.
> ________________________________
>
> This message is confidential, intended only for the named recipient(s) and
> may contain information that is privileged or exempt from disclosure under
> applicable law. Any patient health information must be delivered immediately
> to intended recipient(s). If you are not the intended recipient(s), you are
> notified that the dissemination, distribution or copying of this message is
> strictly prohibited. If you receive this message in error, or are not the
> named recipient(s), please notify the sender at either the e-mail address or
> telephone number above and discard this e-mail. Thank you.
>
> ________________________________
> CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is
> covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521,
> and is intended only for the person or entity to which it is addressed and
> may contain confidential and/or privileged material. Any unauthorized
> review, use, disclosure, dissemination, copying, forwarding or distribution
> is prohibited. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message. If
> you are the intended recipient but do not wish to receive communication
> through this medium, please so advise the sender immediately.
>
--
Sent from my mobile device
| | | |
|
|