Restrict a group of uesrs to a group of computers? 1

[Malander1]

Here's what I am trying to do...

I need to find a way to lockout a specific group of users from logging onto the network from any computers except thoses designated for them. They have their own OU in Active Directory (server 2008 enterprise) and I have them isolated in their own subnet.

Can I force them to log onto systems on their subnet only or is there a GPO setting I am not seeing that would allow me to deny anyone in their group access to all other network stations?

I'd be most greatfull for a speedy reply if at all possible.
Thank you,

 

[kmcferrin]

Open the user's object in Active Directory. Go to the Account tab. Click the Logon To button and list the PCs that they are allowed to logon to. This allows you to restrict individual users to a specific PC or list of PCs.

Or you can create a GPO that uses the Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment --> Deny Logon Locally setting. You would specify the security group of the restricted users in the GPO, then apply it to all PCs in the domain other than the ones that they are allowed to use. You would keep the GPO from applying to a group of PCs that they are allowed to use by putting those PCs into a security group that does not get the GPO applied (security filtering). This would allow you to restrict a group of users to a group of PCs.

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCTS:Hyper-V
MCTS:System Center Virtual Machine Manager
MCTS:Windows Server 2008 R2, Server Virtualization
MCSE:Security 2003
MCITP:Enterprise Administrator