RE: [ActiveDir] Limiting User Logon to Specific Machines

[David Aragon]

Thank you for the suggestions.    We had originally considered a GPO (and ultimately may have to go back that direction) but had dismissed the idea due (in large part) to the socio-political structure we have (who would have believed a university could be so political, I know I didn't).  Each OU represents a separate college or major organization which enjoys a kind of autonomy.  They manage the GPO's and computer activities within their OU, users are centrally managed.  In order to implement a GPO that might affect an OU, we end up needing to get their permission (odd, I know, but it was a compromise worked out over several years worth of negotiations (which, by the way, are still on going) with the different colleges, unions, and organizations involved in an effort to unify services and provide platform independent IdM (Identity Management) and single sign-on for the staff, faculty, and students across the campus).  I was hoping for something less invasive, which is why I had tried the "Log On To" method.   Come to think of it, I need to check when they (and who "they" are that) added politician to my job description, but that's a different issue for another time.   Thank you again for the suggestions, they are appreciated. David Aragon   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Thursday, November 03, 2005 10:11 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Limiting User Logon to Specific Machines I agree that GPO is the route to take. There is too much work keying in what workstations an account can log into.  I placed all lab machines and lab accounts into a single OU and apply GPO. ASB wrote: One option is to deny Logon access to this account via User Rights on machines outside the lab. Configure with GPO. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 11/3/05, David Aragon <[EMAIL PROTECTED]> wrote: Background: We are a fair sized university. Before any students can use any of the computing resources on campus they have to demonstrate a level of knowledge or take a class (3 hours a week for 16 weeks) on basic computing skills (this class also covers how to use the various pieces of software available to them in the regular computing labs across campus). The lab we use consists of about 250 workstations. There are usually three full classes run each semester. To simplify things, we have created a communal user for use within the lab. This carries with it certain security risks we are trying to minimize. One thing we wanted to do was to limit the use of this communal user to the systems within the lab. That is, we don't want this user object to be able to log on to any other system within the university (1 domain, 1 site, approx 8000 systems across 18 OU's). Problem: The "Log On To" setting in the user object seems to be limited to 64 NetBIOS names and 1024 bytes of information. Does anyone have any ideas? I'm sure I've just overlooked something basic. Thank you in advance for your comments and suggestions. David Aragon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/