1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem Restricting security groups from logging into machines

Discussion in 'Networks' started by simonp83, Feb 2, 2010.

  1. simonp83

    simonp83 Kilobyte Poster

    254
    4
    32
    Just a work query that one of the schools are "requesting" be implemented, googled it quick but was wondering if anyone on here would be able to offer any hints and tips. It's a school network and the request from the school is that none of the students be able to log into a teacher machine with their roaming profiles, it's a none issue purely because the teacher and student machines are all from the same image, all users use a redirected desktop and start menu so students get no access to teacher software, the local C:\ is invisible and completely inaccessible by any standard user and all data is stored on shared areas on the file server.

    Server 2008 network with Vista Business machines, all using a standard image.

    I don't know much about AD but would there be settings in there that i can investigate or some sort of group policy, whereby, it restricts access via a logon script in group policy for certain computer names on a domain?
     
    Certifications: A+, MCP, MCDST, MCTS, MCITP
    WIP: 70-291
  2. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Been a while since I have done this but you can restrict logons with a GPO.

    Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Log on Locally


    ....add the domain admins and perhaps a security group with the teacher user accounts to it. This should mean that only teachers and network admins can log into the "teacher" PCs.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  3. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    Yep! I would use the local policy on the computer to configure logon access etc.

    Have a look at the local policy on the computer through start > run > gpedit.msc > computer configuration > Windows settings > security settings etc.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  4. simonp83

    simonp83 Kilobyte Poster

    254
    4
    32
    Oh cool, as simple as i thought. thankyou :)
     
    Certifications: A+, MCP, MCDST, MCTS, MCITP
    WIP: 70-291
  5. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Perhaps easier to use a domain GPO if dealing with more than one PC though? :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  6. simonp83

    simonp83 Kilobyte Poster

    254
    4
    32
    Silly question, if users login through their domain rather than locally, will this setting still apply? :oops:
     
    Certifications: A+, MCP, MCDST, MCTS, MCITP
    WIP: 70-291
  7. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    No, not that Im aware of it wont. Correct me if im wrong people :D As its a local security policy on the local machine. I think the domain policy kicks in when logging onto the domain? Besides would you need the setting on a domain? As surely teachers have credentials/passwords for logon?

    Regards,
     
    Last edited: Feb 4, 2010
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  8. simonp83

    simonp83 Kilobyte Poster

    254
    4
    32
    They do login to the domain, their login doesn't work if they try to log in to the actual local machine itself, everything is done through the domain only with the desktops.
     
    Certifications: A+, MCP, MCDST, MCTS, MCITP
    WIP: 70-291
  9. beaumontdvd

    beaumontdvd Kilobyte Poster

    487
    3
    32
    Sorry read the question wrong.

    Dave
     
    Last edited: Feb 4, 2010
    Certifications: 070-271, 070-272, (MCDST)Level 1,2,3 NVQ
    WIP: 070-270, A+, N+, S+,MCDST 7 Upgrade
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,191
    299
    319
    Yes, if you create the GPO on a domain controller.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010

Share This Page

Loading...