EXPERT RESPONSE
This feature works using NetBIOS names of machines, not DNS names. As far as I can tell, you must assign the individual names of the computers to the list -- you can't use a group name for this feature. Readers who have gotten this to work are welcome to provide some feedback, which I will pass on.
Do you have comments on this Ask the Expert Q&A? Let us know.
Reader Feedback
Bill Z. writes:
This was something I coded around using VBScript. Using various modified code snippets from the Scripting Guys on Microsoft's website, I created a VBScript that would lock down particular user accounts or group accounts to certain computer labs. The biggest issues I ran into while creating and refining the code (which is an ongoing process) were:
- the list of computer names must be short or the last name will not be recognized (the workaround is to put a dummy name at the end of the list -- I use "fakename"), and
- be sure that the computer you are developing the code on is fully updated with WMI and VBScript engines and patches; the Scripting Guys website has a table in one of its articles that list all the updates based on the OS you are using as a development platform.
James A. writes:
With reference to this question that your reader posed, I offer the following solution:
- Place the PCs you wish to allow the group of users to access into an OU or a group of OUs (depending upon your other administrative needs of OU function -- as long as you can assign a GPO to an OU above the PC object in the tree then it is OK)
- Next create a new policy, or modify an existing one, so that the 'Log on to this machine locally' setting in the Workstation section of the policy includes the user groups that you wish to be able to use the PC. For example, I work in a school and wish to restrict many PCs on the network from being accessed by students; I have a group called UG-Staff which contains all the members of staff in the school. I assign this group to have privilege to log on to the machine in the GPO and hey presto -- no kids can log on. Easy. This could be adapted to pretty much any scenario -- the trick is to apply the policy setting to the PC and not to the user or you have to list each PC manually by name -- this is not only tedious and laborious for large networks, but can cause all sorts of issues if you ever have to rename PCs, etc.
- Alternatively, you could write a VB program or script which is called at user log on. It could check for a group membership and if the user is a member then it could force a log off procedure.
Hope this helps.
Related information from SearchWindowsSecurity.com:
Checklists: Harden access control settings
Learning Center: Access control
RSS: Sign up for our RSS feed to receive expert advice for securing Windows
|
