Windows Sever 2012 Active Directory Group Policy Help

D3LTA9 · June 14, 2015

Hi everyone,

Currently setting up a test bed network for a fictitious company for a university project. I have very little experience working with sever 2012 but am enjoying the learning experience. I am doing this all via VM's as well.

So essentially my question is if I want to say create a group of users and a group of computers and say these users in X group have permission to log on to any of the computers in Y group, how would I do that? I understand how to do it individually for each user and in this case as it is only a small business it would be fine to do this but for scalability I would rather be able to group them as I mentioned.

At the moment I have three sites (one HQ with the DC and 2 branches that have RODC's) and have created an organisational unit for each and an employee user group and employee computer group at each site.

I want allow all users at each site to access any of the PC's at the site but not the ones at the other sites. Each site is also on its own subnet which I have added to the site subnet configuration.

Can this be done? Or have I completely misunderstood something?

I hope that makes sense! I apologise for my general lack of understanding.

Thanks for any input!

dzonidev · June 14, 2015

You could have gone away with just using Organizational Units. Anyway, you can keep the groups. Make a group policy object for each OU, and restrict access from there. You want to change User Configuration, then I think you just need to select the OU with the computers.

Redportal · June 14, 2015

Hello D3LTA9,

Just to expand on what dzonidev was exampling about, this can be enforced using a GPO and your pre existing organisational units.

I would also like to say in advance I have not personally done this before, however if you run into any problems just let me know and I will try my best to assist you.

The first step would be to create a new GPO this can be called anything you want, however I would suggest something such as "Restrict PC logins (Room10)" etc.

Now create a new security group and add the users you would like to restrict login access to.

Next you want to find the following policy "Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Login Locally Setting".

On the next screen you should see a new window appear once you open the "Deny Login Locally" policy. You want to tick the define check box and add the security group you created at the start.

Now you can apply the policy to the machines you would like to restrict login access to.

Once the above steps have been completed, remember to either reboot the machine or run "gpupdate /force" to reload the policies. Then it should be ready for testing.