5

Our organisation has an AD; all users are in the one OU. I administer a section of the users. We have a bunch of computers that I only want to allow logon by users in a particular AD group (i.e. users in my section). How might I go about this?

askvictor
  • 854
  • 3
  • 15
  • 29
  • 3
    I hate to say it, but lumping all of your users into a single OU (especially when you have A. separate people managing separate groups, and B. different need for them) is not leveraging LDAP effectively. – gWaldo Aug 25 '10 at 13:21
  • unfortunately I don't control the AD, I'm in a sub-organisation that has to use whatever we are given from up on high. – askvictor Jun 14 '11 at 05:37
  • That is rather unfortunate. Might I recommend asking the AD admins that they make the changes for you? It could help make you much more effective. – gWaldo May 10 '12 at 23:25
  • Being restricted to using ou's as a filter criterion would also be ineffective, it does not scale well if you have completely unrelated groups of people (ie if you have ten buildings and ten departments that have people in a couple buildings each).... – rackandboneman May 17 '12 at 13:32

3 Answers3

2

Group Policy depends on Active Directory, whether for security or normal policies, and therefore, it is crucial to understand Active Directory and its structure.

I would like you to go through this Microsoft KB article. I hope this will be useful for you, and the link I'm posting is for Windows 2000 as you did not mention for which Windows version you want to restrict.

For sake of time, search for a third party tool, as today there are many third party tools available which are made to manage Active Directory in an easy way.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Lindsay palicos
  • 209
  • 1
  • 5
0

I recommend breaking out your users by organizational function and likewise with your computers. Create a GPO to restrict access to those computers to only members of that function's OU.

You could also create a Security Group for the users and a security group for the computers and restrict access to the computer group to only allow the members of the users' group. (This can be done in any number of ways.)

Skyhawk
  • 14,200
  • 4
  • 53
  • 95
gWaldo
  • 11,957
  • 8
  • 42
  • 69
  • 2
    The OP asks: "How might I go about this?" Your answer:"This can be done in any number of ways." Can you amplify your reply to illustrate one of these ways? I'm after the same answer and your reply is not thorough enough. – Sandy May 10 '12 at 20:07
  • 2
    While I don't provide click-by-click directions or the code or commands to do so, I do in fact tell him exactly *what* to do without dictating the method that the OP must implement. There *are* many ways to go about it. – gWaldo May 10 '12 at 23:22
0

You don't mention information about what version of Windows is in use, most likely because you don't have access to the boxes. I would ask the administrators to either setup GPO rules against an OU as gWaldo mentions and have them delegate administration of that policy to you or have them setup item-level targeting against a specific group of users that you are able to control.

Brent Pabst
  • 6,069
  • 2
  • 24
  • 36