Tip

Use GPOs to specify Windows network access for users

Question: I am trying to take a single machine on my Microsoft Windows network and give only specific users access to it. It is impractical to assign every user specific machines to log onto and would be easier to only allow certain users Windows network access to this machine. How would I accomplish this?
-- Question posed by a SearchWindowsSecurity.com reader.

Windows networking security expert Wes Noonan offers this response:

    Requires Free Membership to View

Group Policy security extras
Group Policy management: Disabling CMD

Group Policy deployment for server hardening

Unfortunately, there is not an easy way to manage Windows network access in this way. Based on your question, I'm guessing you discovered the "Log On To" button in the users properties and then realized you would need to make changes on every user account for every computer you wanted them to be able to log in with. Not a pleasant thought.

Another option is to try using Group Policy Objects (GPOs). Create an organizational unit (OU) for the computer in question, and then add the computer to said OU. Create a group in your Windows network for the users you want to have the ability to log into this computer and add the appropriate users to it. Do not add it to the OU.

Right click on the OU and bring up the properties. Select the Group tab, then create a new GPO by clicking on the New button. Name the GPO accordingly and click Edit.

Expand Computer Configuration, Windows Settings, Security Settings, Local Policies and click on User Rights Assignments. This will bring up the user rights in the right pane.

You are going to want to edit the following policies:

  • Access this computer from the network
  • Allow Logon through Terminal Services
  • Log on locally (may be named Allow log on locally)

You can do this by double clicking on the policy. Check the box "Define these policy settings" and click Add User or Group to add the group you previously defined. Keep in mind that you must grant administrators the right to log on locally (and, in fact, I recommend granting them all of the rights listed).


This was first published in September 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.