User Computer Restriction

Good Morning,

I had a question regarding user logon restriction. I have a
computer lab that is currently being used by 5th and 6th graders, but is now
being intruded upon by adults. I would like to restrict all domain users
from logging on, except for domain admin and student accounts to these
computers. I have created an ou with all the computers in the lab and also
appropriate ou's for each users and teachers. I would appreciate any
assistance with this matter. Thank you for your time and effort.

P.S. I am running a 2003 Server and 2000 workstation environment.



Regards,


David Leonardi

create new OU and move the computers that you intent to be used by only
domain admin and student accounts to this new OU. create new group policy
for this OU and add the users to "deny logon locally" under computer
configuration in this new gp.




"Dave Leonardi" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> Good Morning,
>
> I had a question regarding user logon restriction. I have a
> computer lab that is currently being used by 5th and 6th graders, but is
now
> being intruded upon by adults. I would like to restrict all domain users
> from logging on, except for domain admin and student accounts to these
> computers. I have created an ou with all the computers in the lab and also
> appropriate ou's for each users and teachers. I would appreciate any
> assistance with this matter. Thank you for your time and effort.
>
> P.S. I am running a 2003 Server and 2000 workstation environment.
>
>
>
> Regards,
>
>
> David Leonardi
>
>
>

"Dave Leonardi" <(E-Mail Removed)> wrote in message news:<#(E-Mail Removed)>...
> Good Morning,
>
> I had a question regarding user logon restriction. I have a
> computer lab that is currently being used by 5th and 6th graders, but is now
> being intruded upon by adults. I would like to restrict all domain users
> from logging on, except for domain admin and student accounts to these
> computers. I have created an ou with all the computers in the lab and also
> appropriate ou's for each users and teachers. I would appreciate any
> assistance with this matter. Thank you for your time and effort.
>
> P.S. I am running a 2003 Server and 2000 workstation environment.


You can set up the workstations in the lab to give the right "Allow
log on locally" only to those groups of users you want -- or rather
take that right away from those you don't want.

You can do this with a GPO for the OU with the computers. Take a look
at the default domain controllers policy which also restricts who can
logon locally. in Local Policies, User rights assignment.

--
Matt Hickman
it is some comfort to realize that anyone who handed Clark a
bribe would find that Clark had not only taken the bribe but the
hand as well.
Robert A. Heinlein (1907 -1988)
_Podkayne of Mars_ 1963

Thanks Ayhan. I appreciate it. I used your solution and it worked well.

Regards,

Dave Leonardi

"Ayhan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> create new OU and move the computers that you intent to be used by only
> domain admin and student accounts to this new OU. create new group policy
> for this OU and add the users to "deny logon locally" under computer
> configuration in this new gp.
>
>
>
>
> "Dave Leonardi" <(E-Mail Removed)> wrote in message
> news:#(E-Mail Removed)...
> > Good Morning,
> >
> > I had a question regarding user logon restriction. I have a
> > computer lab that is currently being used by 5th and 6th graders, but is
> now
> > being intruded upon by adults. I would like to restrict all domain users
> > from logging on, except for domain admin and student accounts to these
> > computers. I have created an ou with all the computers in the lab and
also
> > appropriate ou's for each users and teachers. I would appreciate any
> > assistance with this matter. Thank you for your time and effort.
> >
> > P.S. I am running a 2003 Server and 2000 workstation environment.
> >
> >
> >
> > Regards,
> >
> >
> > David Leonardi
> >
> >
> >
>
>

Thanks Matt,

I tried Ayhan's solution "Deny Logon Locally", but I'm going have to use
your scenario elsewhere down the road. It will work better for another lab
situation. Also If you don't mind helping me with a question. Why would it
be a "log on locally" thing and not a "deny network access to this
computer". You would think it has to do with Domain Users logging on to a
networked computer. Thanks again for the assistance.

Regards,
Dave Leonardi

"Matt Hickman" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> "Dave Leonardi" <(E-Mail Removed)> wrote in message
news:<#(E-Mail Removed)>...
> > Good Morning,
> >
> > I had a question regarding user logon restriction. I have a
> > computer lab that is currently being used by 5th and 6th graders, but is
now
> > being intruded upon by adults. I would like to restrict all domain users
> > from logging on, except for domain admin and student accounts to these
> > computers. I have created an ou with all the computers in the lab and
also
> > appropriate ou's for each users and teachers. I would appreciate any
> > assistance with this matter. Thank you for your time and effort.
> >
> > P.S. I am running a 2003 Server and 2000 workstation environment.
>
>
> You can set up the workstations in the lab to give the right "Allow
> log on locally" only to those groups of users you want -- or rather
> take that right away from those you don't want.
>
> You can do this with a GPO for the OU with the computers. Take a look
> at the default domain controllers policy which also restricts who can
> logon locally. in Local Policies, User rights assignment.
>
> --
> Matt Hickman
> it is some comfort to realize that anyone who handed Clark a
> bribe would find that Clark had not only taken the bribe but the
> hand as well.
> Robert A. Heinlein (1907 -1988)
> _Podkayne of Mars_ 1963

"Dave Leonardi" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Thanks Matt,
>
> I tried Ayhan's solution "Deny Logon Locally", but I'm going have to use
> your scenario elsewhere down the road. It will work better for another lab
> situation. Also If you don't mind helping me with a question. Why would it
> be a "log on locally" thing and not a "deny network access to this
> computer". You would think it has to do with Domain Users logging on to a
> networked computer. Thanks again for the assistance.

"network access" refers to accessing the computer remotely -- across
the network. The users are not doing that, they are logging on at the
workstation itself -- locally.

--
Matt Hickman
Sometimes is difficult to reach a meeting of minds with machines; they
can be very pig-headed.
Robert A. Heinlein (1907 - 1988)
_The Moon Is a Harsh Mistress_ c 1966