GPO for Schedule Restricted Logon?

RZetlinRZetlin Inactive Imported Users Posts: 155
in Server 70-290
Is there a GPO which allows me to controls who can log on to a comptuer and when?
· Share on FacebookShare on Twitter

Comments

  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    I'll double check, but as far as I know you control that through the user's account properties in ADUC. It's on the ACCOUNT tab - "log on to" and "logon hours" buttons.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • zenboyzenboy Member Posts: 196
    RZetlin wrote:
    Is there a GPO which allows me to controls who can log on to a comptuer and when?
    yes. It's called auditing. To enable auditing on domain, use Domain Controller Security Policy console; On local machine, use Local Security Policy console. Navigate to Audit Object Access and turn it on.
    After this, you need to go to the Advancd Security setting and click Auditing tab on the object (ou, domain, etc.) and apply Successful or/and Failure checkbox (this process is similar to applying NTFS permission. This is a summary; you might need look up on this for details. Hope that helps.
    "In the beginner's mind there are many possibilities, but in the expert's there are few" - S.Suzuki
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    zenboy wrote:
    RZetlin wrote:
    Is there a GPO which allows me to controls who can log on to a comptuer and when?
    yes. It's called auditing. To enable auditing on domain, use Domain Controller Security Policy console; On local machine, use Local Security Policy console. Navigate to Audit Object Access and turn it on.
    After this, you need to go to the Advancd Security setting and click Auditing tab on the object (ou, domain, etc.) and apply Successful or/and Failure checkbox (this process is similar to applying NTFS permission. This is a summary; you might need look up on this for details. Hope that helps.

    Actually, that will let you see who logs on and when, but not control it. I think he wants to control it. Maybe RZeltin can clarify for us.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • vexvex Member Posts: 113
    zenboy wrote:
    RZetlin wrote:
    Is there a GPO which allows me to controls who can log on to a comptuer and when?
    yes. It's called auditing. To enable auditing on domain, use Domain Controller Security Policy console; On local machine, use Local Security Policy console. Navigate to Audit Object Access and turn it on.
    After this, you need to go to the Advancd Security setting and click Auditing tab on the object (ou, domain, etc.) and apply Successful or/and Failure checkbox (this process is similar to applying NTFS permission. This is a summary; you might need look up on this for details. Hope that helps.

    This does not CONTROL which users can login and when they can login. This only tells you who and when.
    Ancient Certs:
    Exam 70-064: Implementing and Supporting Microsoft Windows® 95
    Exam 70-067: Implementing and Supporting Microsoft Windows NT Server 4.0
    · Share on FacebookShare on Twitter
  • zenboyzenboy Member Posts: 196
    my mistake. should have read his post more thoroughly.
    "In the beginner's mind there are many possibilities, but in the expert's there are few" - S.Suzuki
    · Share on FacebookShare on Twitter
  • jim_staszjim_stasz Member Posts: 123
    What a bunch-o-nerds....

    (I mean that with the utmost respect....) :D
    · Share on FacebookShare on Twitter
  • zenboyzenboy Member Posts: 196
    jim_stasz wrote:
    What a bunch-o-nerds....

    (I mean that with the utmost respect....) :D

    Ditto to you. After all, you are a member. icon_lol.gif

    here is a great site about Controlling Logon Access with a Group Policy Object: http://www.cmu.edu/computing/andrew-windows/AndrewWindowsAdminGuide.html#LogonAccessGPO
    "In the beginner's mind there are many possibilities, but in the expert's there are few" - S.Suzuki
    · Share on FacebookShare on Twitter
  • TrailerisfTrailerisf Member Posts: 455
    sprkymrk wrote:
    I'll double check, but as far as I know you control that through the user's account properties in ADUC. It's on the ACCOUNT tab - "log on to" and "logon hours" buttons.
    He is correct. You can limit logon hrs and locations at the same place.
    On the road to Cisco. Will I hunt it, or will it hunt me?
    · Share on FacebookShare on Twitter
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    zenboy wrote:
    here is a great site about Controlling Logon Access with a Group Policy Object: http://www.cmu.edu/computing/andrew-windows/AndrewWindowsAdminGuide.html#LogonAccessGPO

    The only problem with that method is that you have to have several GPO's in place or a subOU for each. For instance, if I only want each user to be able to log on to his/her computer and no others, it would be near impossible with this GPO. This GPO is more for limiting a group of users to a set of computers. For example, I have used this for a school where I divided the faculty computers from the student/lab computers into seperate OU's. I then set this policy so that only users in the Faculty group could log on to computers in the Faculty OU.

    If, on the other hand, I only wanted each teacher to be able to log on to the computer in their own class room, and each student to only log on to a specific computer (lab1, lab2, etc.) then it would not be feasable wth this policy. I would have to use the "user" properties sheet.
    All things are possible, only believe.
    · Share on FacebookShare on Twitter
  • OlajuwonOlajuwon Inactive Imported Users Posts: 356
    jim_stasz wrote:
    What a bunch-o-nerds....

    (I mean that with the utmost respect....) :D

    icon_lol.gif
    "And in the end, it's not the years in your life that count. It's the life in your years"
    · Share on FacebookShare on Twitter
Sign In or Register to comment.