Setting 'log-on-to machines' in Active Directory
Many enterprise environments need to limit systems access by setting account options. In this response, site expert Jonathan Hassell explains more about the "set log-on-to machines" feature.
I have tried to do some Google searching on this "feature" of 2003, but can't seem to find anything. Perhaps I'm not searching for the right keywords. This article was the only one that seemed to talk about what I want to do, so I thought I would ask. Thank you for any help you might be able to provide.
Do you have comments on this Ask the Expert Q&A? Let us know.
Reader Feedback
Bill Z. writes:
This was something I coded around using VBScript. Using various modified code snippets from the Scripting Guys on Microsoft's website, I created a VBScript that would lock down particular user accounts or group accounts to certain computer labs. The biggest issues I ran into while creating and refining the code (which is an ongoing process) were:
- the list of computer names must be short or the last name will not be recognized (the workaround is to put a dummy name at the end of the list -- I use "fakename"), and
- be sure that the computer you are developing the code on is fully updated with WMI and VBScript engines and patches; the Scripting Guys website has a table in one of its articles that list all the updates based on the OS you are using as a development platform.
James A. writes:
With reference to this question that your reader posed, I offer the following solution:
- Place the PCs you wish to allow the group of users to access into an OU or a group of OUs (depending upon your other administrative needs of OU function -- as long as you can assign a GPO to an OU above the PC object in the tree then it is OK)
- Next create a new policy, or modify an existing one, so that the 'Log on to this machine locally' setting in the Workstation section of the policy includes the user groups that you wish to be able to use the PC. For example, I work in a school and wish to restrict many PCs on the network from being accessed by students; I have a group called UG-Staff which contains all the members of staff in the school. I assign this group to have privilege to log on to the machine in the GPO and hey presto -- no kids can log on. Easy. This could be adapted to pretty much any scenario -- the trick is to apply the policy setting to the PC and not to the user or you have to list each PC manually by name -- this is not only tedious and laborious for large networks, but can cause all sorts of issues if you ever have to rename PCs, etc.
- Alternatively, you could write a VB program or script which is called at user log on. It could check for a group membership and if the user is a member then it could force a log off procedure.
Hope this helps.
Related information from SearchWindowsSecurity.com:
Dig Deeper on Windows legacy operating systems
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.
Meet all of our Enterprise Desktop experts
Start the conversation
0 comments