Limit domain users on a computer

[JVANH]

You know how you can limit a user to logon to only specified machines on the network. I want to be able to limit who can logon to a specific computer on a network. I have written a .bat file that will check to see who logs on and if it's not the correct person it logs them off. I have it in the startup items. It works but it is not very elegant. It starts after other items have started to load and causes all sorts of errors and false starts. I am looking for some way to acomplish this right from the logon screen before it starts any programs. Any sugestions will be appreciated.

 

[PScottC]

Are you doing this to a large number of systems or just a few? If a few (5 or less), then you can modify the "Log on Locally" privilege in the local system policy or a domain policy that only applies to that system.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[JVANH]

These are teacher machines in a Lab setting at a University. There shouldn't be many. I'll look into this solution.

 

[rmcp2k]

very very simple, you can do this in AD. Under each spefic user account you want and click "log on to" which you can specify which computer that account have rights to log on too.

 

[PScottC]

rmcp --

re-read the question. JVanh wants to limit the other way around. Please post alternate solution.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[rmcp2k]

quote "You know how you can limit a user to logon to only specified machines on the network."

Tell me what did i missed?

 

[PScottC]

He wants to keep a bunch of users away from one PC but allow them to logon unrestricted otherwise.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[markdmac]

My solution for this would be to use vbscript.

Simple enough matter. Take your users and make them part of a "not this computer" group called somehting simple like "nomachine1."

Next use vbscript to determine the user name and machine names at login. Bind to the user object and check group memberships. If the user is a member of nomachine1 AND the machine name = machien one, then force logoff.

For the non-script saavy it may sound scary but all of the tough code you need is in my FAQ already written. faq329-5798

So all you need is the WMI code to force logoff.

strComputer = "."
Set OpSysSet=GetObject("winmgmts:{(Debug,RemoteShutdown)}//" _ 
& strComputer & "/root/cimv2").ExecQuery( _ 
"Select * from Win32_OperatingSystem where Primary=true") 
for each OpSys in OpSysSet 
    OpSys.Win32Shutdown(4) 
next

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript