Problem solve
Get help with specific problems with your technologies, process and projects.
Setting 'log-on-to machines' in Active Directory
Many enterprise environments need to limit systems access by setting account options. In this response, site expert Jonathan Hassell explains more about the "set log-on-to machines" feature.
I just read Roberta Bragg's article titled "
Checklist: Set account options to limit systems access." I have a question about how "Set log-on-to machines" works in Active Directory. I am in the process of upgrading the two domain controllers we have from NT 4.0 to Windows Server 2003 (have not done it yet). I have 100 users, of which 80 are in a group that I would like to restrict which computers in the domain they can logon to (about 100 of the 250 computers). Does Active Directory allow you to do this? All 80 are in a specific group, "Grad Students." Is there a way to set which computers this group can logon to, or do I have to do it for each user? NT 4.0 allows you to do this for specific users, but limits you to 4 computers on the list.
I have tried to do some Google searching on this "feature" of 2003, but can't seem to find anything. Perhaps I'm not searching for the right keywords. This article was the only one that seemed to talk about what I want to do, so I thought I would ask. Thank you for any help you might be able to provide.
This feature works using NetBIOS names of machines, not DNS names. As far as I can tell, you must assign the individual names of the computers to the list -- you can't use a group name for this feature. Readers who have gotten this to work are welcome to provide some
feedback, which I will pass on.
Do you have comments on this Ask the Expert Q&A? Let us know.
Reader Feedback
Related information from SearchWindowsSecurity.com:Checklists: Harden access control settings
Learning Center: Access control
RSS: Sign up for our RSS feed to receive expert advice for securing Windows
Do you have comments on this Ask the Expert Q&A? Let us know.
Reader Feedback
Bill Z. writes:
This was something I coded around using VBScript. Using various modified code snippets from the Scripting Guys on Microsoft's website, I created a VBScript that would lock down particular user accounts or group accounts to certain computer labs. The biggest issues I ran into while creating and refining the code (which is an ongoing process) were:
- the list of computer names must be short or the last name will not be recognized (the workaround is to put a dummy name at the end of the list -- I use "fakename"), and
- be sure that the computer you are developing the code on is fully updated with WMI and VBScript engines and patches; the Scripting Guys website has a table in one of its articles that list all the updates based on the OS you are using as a development platform.
James A. writes:
With reference to this question that your reader posed, I offer the following solution:
- Place the PCs you wish to allow the group of users to access into an OU or a group of OUs (depending upon your other administrative needs of OU function -- as long as you can assign a GPO to an OU above the PC object in the tree then it is OK)
- Next create a new policy, or modify an existing one, so that the 'Log on to this machine locally' setting in the Workstation section of the policy includes the user groups that you wish to be able to use the PC. For example, I work in a school and wish to restrict many PCs on the network from being accessed by students; I have a group called UG-Staff which contains all the members of staff in the school. I assign this group to have privilege to log on to the machine in the GPO and hey presto -- no kids can log on. Easy. This could be adapted to pretty much any scenario -- the trick is to apply the policy setting to the PC and not to the user or you have to list each PC manually by name -- this is not only tedious and laborious for large networks, but can cause all sorts of issues if you ever have to rename PCs, etc.
- Alternatively, you could write a VB program or script which is called at user log on. It could check for a group membership and if the user is a member then it could force a log off procedure.
Hope this helps.
Related information from SearchWindowsSecurity.com:
