Client Access Rights

Hi

How can I restrict a Domain User Group from access ing a range of client
PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa

It is part of the individual user accounts, where you set which machines
they are allowed to log into. I don't think it can be done by "groups".


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Blaze" <(E-Mail Removed)> wrote in message
news:h0PSd.51$(E-Mail Removed)...
> Hi
>
> How can I restrict a Domain User Group from access ing a range of client
> PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
>
>

You can use Group Policy to do such. For instance place a group of computer
accounts in an Organizational Unit. Then create a Group Policy for that OU
and add the global group you want to restrict to the deny logon locally or
deny access this computer from the network user right in computer
configuration/Windows settings/security settings/local policies/user rights.
Note that while this will work in general, ultimately you can not restrict a
domain admin that does not want to be restricted as they always have the
power to undo settings that restrict them. To do such you really need to use
separate domains or better yet separate forests. You still can connect
forests and/or domains with trusts. --- Steve


"Blaze" <(E-Mail Removed)> wrote in message
news:h0PSd.51$(E-Mail Removed)...
> Hi
>
> How can I restrict a Domain User Group from access ing a range of client
> PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
>

Blaze,

You can do this with Group Policy. Make a container in AD which contais all
the COMPUTERS (not users) in the admin and sales dept. Create a group policy
and, in it, go to COMPUTER CONFIGURATION > ADMINISTRATIVE TEMPLATES > SYSTEM
> LOGON. Now find the rule called "Only allow local user profiles" and enable
it. Now apply this policy to the container you made containing the computers
you want this enforced on. You will have to go to the individual computers
and delete the accounts off of them that you dont want logged on. The reason
for this is, when a roaming user logs into a network machine, windows
automatically downloads that user into the local profiles. Once the machine
policy is set, they wont be able to do this, and the oly way for a differnt
user to log in is if the Network Admin (You) installs that account on the
local machine using the administrive computer account. Hope this helps. Using
Group Policy for the first time always takes some experimentation.

"Blaze" wrote:

> Hi
>
> How can I restrict a Domain User Group from access ing a range of client
> PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
>
>
>

This would only be a problem if the users in question had domain admin
rights. I think you've hit the solution on the head. If the OPs users are
all domain admins, there's little hope for any kind of security..


...kurt

"Steven L Umbach" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You can use Group Policy to do such. For instance place a group of
computer
> accounts in an Organizational Unit. Then create a Group Policy for that OU
> and add the global group you want to restrict to the deny logon locally or
> deny access this computer from the network user right in computer
> configuration/Windows settings/security settings/local policies/user
rights.
> Note that while this will work in general, ultimately you can not restrict
a
> domain admin that does not want to be restricted as they always have the
> power to undo settings that restrict them. To do such you really need to
use
> separate domains or better yet separate forests. You still can connect
> forests and/or domains with trusts. --- Steve
>
>
> "Blaze" <(E-Mail Removed)> wrote in message
> news:h0PSd.51$(E-Mail Removed)...
> > Hi
> >
> > How can I restrict a Domain User Group from access ing a range of client
> > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
> >
>
>

Thanks Guys :-)


"Kurt" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> This would only be a problem if the users in question had domain admin
> rights. I think you've hit the solution on the head. If the OPs users are
> all domain admins, there's little hope for any kind of security..
>
>
> ..kurt
>
> "Steven L Umbach" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> You can use Group Policy to do such. For instance place a group of
> computer
>> accounts in an Organizational Unit. Then create a Group Policy for that
>> OU
>> and add the global group you want to restrict to the deny logon locally
>> or
>> deny access this computer from the network user right in computer
>> configuration/Windows settings/security settings/local policies/user
> rights.
>> Note that while this will work in general, ultimately you can not
>> restrict
> a
>> domain admin that does not want to be restricted as they always have the
>> power to undo settings that restrict them. To do such you really need to
> use
>> separate domains or better yet separate forests. You still can connect
>> forests and/or domains with trusts. --- Steve
>>
>>
>> "Blaze" <(E-Mail Removed)> wrote in message
>> news:h0PSd.51$(E-Mail Removed)...
>> > Hi
>> >
>> > How can I restrict a Domain User Group from access ing a range of
>> > client
>> > PC's.. ie Admin cannot logon to Sales Departments PC's and Visa Versa
>> >
>>
>>
>
>