Announcement

Collapse
No announcement yet.

Only allow certain users to log into certain machines

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Only allow certain users to log into certain machines

    VERY new to GPO's so I apologize if this is simple for some of you.

    I'd like to have a GPO only allow a group of users be able to log into a few machines. All other users should get a message of some sort saying you're not allowed to do this.

    Server 2008R2.

    This is what I've done so far in GPM:
    Security Filtering:
    Created a GPO where I added the group and the machine.

    Delegation:
    Changed the permissions on the machine as well as the group to have Read (from Security Filtering) and ticked the box for "apply group policy" under Advanced.

    This is what I've done so far in the GPME:
    Computer Configuration>policies>security settings>local policies>User Rights Assignment
    Allow log on locally - I added the group that I want to have the ability to do this.

    I can still log into those specific machines without an issue under any user.

    Any help would be greatly appreciated.

    Thanks.

  • #2
    You generally don't need to make changes to the Delegation tab. The Security Filtering section will make the necessary changes.

    You can't filter the GPO by the user group because this is a computer setting, not a user setting. The user group filter will have no effect. The GPO will apply to the computers and the user group that you grant the "Allow log on locally" user right to will be allowed to log on to these computers. Everyone else will be denied.

    Being a computer setting, you need to link the GPO to the domain or to the OU where the computer accounts are.

    Here's my suggestion: Delete the GPO and recreate it. Remove Authenticated Users from the Security Filtering section and add the Computer objects to the Security Filtering section (or create a security group for the computers, add the computers to the group and use that group in the security filter). Link the GPO to the domain or to the OU where the computer accounts are. Reboot the computers in question and try it again with one of your restricted users.

    Comment


    • #3
      Thank you for your insight.

      Here's my suggestion: Delete the GPO and recreate it. Remove Authenticated Users from the Security Filtering section and add the Computer objects to the Security Filtering section (or create a security group for the computers, add the computers to the group and use that group in the security filter). Link the GPO to the domain or to the OU where the computer accounts are. Reboot the computers in question and try it again with one of your restricted users.
      I've done everything up to the point of restarting the users computer. I don't understand how the computer will know to not let X amount of employees to log in and to let X amount of employees to NOT log in...and who they are. I feel like I missed something or I'm a bit confused.

      I do appreciate your time and understanding that this is above me.

      Comment


      • #4
        Your policy will enforce only those named to be allowed to log in, just as you requested, assuming you pick the correct names for the policy, and apply the policy in the correct location in AD. The policy setting of 'Allow log on locally' expects you to put names of users or groups in--those are the people you want to have allowed on any PC the policy applies to. To decide on how to limit the policy application, start by linking that policy to an OU where the subject PCs are grouped in AD. When such a PC starts, it reads the group policy setting, and any user not listed as allowed won't be able to log in.

        You're enforcing certain users to be allowed or not, but you don't enforce a policy for this against the user, you enforce it against the computer the user is trying to log into. So in GPMC, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment and find 'Allow Logon Locally'. There are default groups there; if you remove 'domain users' and 'authenticated users' (assuming both are listed), then add a group name which contains the users you want to allow. Make sure admin groups are still there or you'll be locked out. No need to save the policy, the settings are recorded immediately.

        If you link that policy to the OU which contains your PCs, refresh GP on one and test it. If your OU contains all of your domain PCs and you only want the policy to apply to a few, create a PC group with only those device names and add that group to the policy's 'Security Filtering'. Remove any other entries in Security Filtering (like Authenticated Users) so that your PC group is the only entry. What this does is enforce that only those PCs can read/enforce the policy. The user group settings you did previously is what tells the appropriate PC that only those users can log in.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Originally posted by RicklesP View Post
          Your policy will enforce only those named to be allowed to log in, just as you requested, assuming you pick the correct names for the policy, and apply the policy in the correct location in AD. The policy setting of 'Allow log on locally' expects you to put names of users or groups in--those are the people you want to have allowed on any PC the policy applies to. To decide on how to limit the policy application, start by linking that policy to an OU where the subject PCs are grouped in AD. When such a PC starts, it reads the group policy setting, and any user not listed as allowed won't be able to log in.

          You're enforcing certain users to be allowed or not, but you don't enforce a policy for this against the user, you enforce it against the computer the user is trying to log into. So in GPMC, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment and find 'Allow Logon Locally'. There are default groups there; if you remove 'domain users' and 'authenticated users' (assuming both are listed), then add a group name which contains the users you want to allow. Make sure admin groups are still there or you'll be locked out. No need to save the policy, the settings are recorded immediately.
          Ok, got it. So after I deleted the GP I needed to go back in and re-add the users in the Allow Log On Locally section. I messed up that step.

          If you link that policy to the OU which contains your PCs, refresh GP on one and test it. If your OU contains all of your domain PCs and you only want the policy to apply to a few, create a PC group with only those device names and add that group to the policy's 'Security Filtering'. Remove any other entries in Security Filtering (like Authenticated Users) so that your PC group is the only entry. What this does is enforce that only those PCs can read/enforce the policy. The user group settings you did previously is what tells the appropriate PC that only those users can log in.
          I've created a group for the 3 machines I would like to limit the users on. I've tested it and I can still log in with whomever I want. I'm missing something simple - I apologize. I've taken some screenshots to show what I've got.

          Click image for larger version

Name:	GPM.jpg
Views:	2
Size:	212.7 KB
ID:	508123Click image for larger version

Name:	GPME.jpg
Views:	1
Size:	189.1 KB
ID:	508122

          Attached Files

          Comment


          • #6
            Originally posted by RicklesP View Post
            Your policy will enforce only those named to be allowed to log in, just as you requested, assuming you pick the correct names for the policy, and apply the policy in the correct location in AD. The policy setting of 'Allow log on locally' expects you to put names of users or groups in--those are the people you want to have allowed on any PC the policy applies to. To decide on how to limit the policy application, start by linking that policy to an OU where the subject PCs are grouped in AD. When such a PC starts, it reads the group policy setting, and any user not listed as allowed won't be able to log in.

            You're enforcing certain users to be allowed or not, but you don't enforce a policy for this against the user, you enforce it against the computer the user is trying to log into. So in GPMC, go to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment and find 'Allow Logon Locally'. There are default groups there; if you remove 'domain users' and 'authenticated users' (assuming both are listed), then add a group name which contains the users you want to allow. Make sure admin groups are still there or you'll be locked out. No need to save the policy, the settings are recorded immediately.

            If you link that policy to the OU which contains your PCs, refresh GP on one and test it. If your OU contains all of your domain PCs and you only want the policy to apply to a few, create a PC group with only those device names and add that group to the policy's 'Security Filtering'. Remove any other entries in Security Filtering (like Authenticated Users) so that your PC group is the only entry. What this does is enforce that only those PCs can read/enforce the policy. The user group settings you did previously is what tells the appropriate PC that only those users can log in.
            Wow. You said that so much better than I did. Nice answer!

            Comment


            • #7
              Many thanks, joeqwerty. I've found that explanations without the corporate-speak of MS docs, esp when not talking about enterprise-level stuff, usually works better.

              Jeff, assuming you are in the domain and/or local administrator groups, that's where your login permission appears to be coming from. But one picture is missing, the one showing where that policy is linked to. Because it appears you're being responsible and not letting everyone see certain details, I can only assume that you have properly linked this policy to the correct OU where all 3 PCs are listed in AD. Also, once you made your policy settings, did you enforce a GP refresh on any of those 3 machines? If the link doesn't tie this policy to said OU, it won't apply.

              The settings being changed inside the policy is immediate, but the application of policy on the clients takes time. Those times can be controlled by changing the defaults inside another domain-wide policy, but leave that for now. On any of the specimen client machines, open a cmd prompt as an administrator and run 'gpupdate /force /boot'. The machine will restart itself after forcibly re-reading applicable policies. If you think the policy isn't applying correctly, get a member of your 'Dispatchers' group to login (should be successful), then someone who isn't in any of the user groups in your policy (should fail), esp NOT a member of the PC's local admin group. If those 2 logins behave as expected, then the policy is doing what 's supposed to. To change who can or can't log in, change the group names in that policy setting, and then you only have to change the appropriate group membership to add/remove specific members.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment

              Working...
              X