How to apply User Accounts Logon Restrictions in Win 2003 AD?

Hi,

I have configured our domain controller on Windows 2003 Server. We have
around 160 computers which are member of single domain. Now my problem
is, for a user, say 'abc' (which is a member of the same domain), I
need to allow him to logon on 80 machines and not on the remaining 80
machines. How can I do this? Actually I created two OUs and have kept
80 machines in one OU and remaining 80 in other OU and have created
this user 'abc' in only one OU (where I want to allow him to logon).
But he is still able to login to all 160 machines. I tried to specify
computer names under 'user properties'->'Account'->'Log On To' but it
can take maximum 60 computer names.

Please let me know how to solve this problem.

Thanks in advance.

hrparikh

You could use the Deny Logon Locally GPO. Make sure that the OU that
holds these computer account objects is not a 'child' or sub-OU of the
OU structure that contains your other computer account objects. So,
what you would do is have all of the computer account objects in their
current OU set up and create an OU for the test computer account
objects. You would then create a security group and make that one user
account object the sole member. You could then create the Deny Logon
Locally GPO and link it to the OU structure that holds all of your
other computer account objects.


If you were to use this and you have to create the OU for the 80
computer account objects within your 'computer' OU structure then you
might have to look at Block Inheritance on the OU that holds these 80
other computers.

ALSO:
I would recommend posting Active Directory questions in the
microsoft.public.windows.active_directory group. There are some
extremely intelligent MVPs there that could help you more than I could.
Have a good day!

Thank you very much for this information. Next time I will remember to
post active directory related questions in
microsoft.public.windows.active_directory group.

hrparikh