Q: In Active Directory (AD), you can
restrict which computers a user
can log on to by clicking the Log
On To button on the Account tab
in the user’s properties. However, I
want to set machine logon restrictions
for all the members of our
Sales Department group. It would
take a fair amount of work to set
these restrictions manually in the
properties of all the individual user
accounts. What’s the easiest way to
set machine logon restrictions for
an entire group?
A: Machine logon restrictions can’t be set
in the properties of an AD group object.
However, you can select multiple users
at once from the Microsoft Management
Console (MMC) Active Directory Users and
Computers snap-in and open their properties.
Select each member of the Sales
Department group while holding down
the Control key, or click the first user in
the list, hold down the Shift key, and then
click the last user in the list. Then click the
Log On To button on the Account tab and
enter the DNS or NetBIOS names of the
computers from which members of the
Sales Department group can log on in the
Logon Workstations dialog box.
—Jan De Clercq
End of Article
This requries however the specifc computers to be part of an easaliy managed OU-structure.
See htp://support.microsoft.com/kb/279301 and http://support.microsoft.com/kb/810076 for more info about restricted groups.
denli September 24, 2008 (Article Rating: