GPO for Schedule Restricted Logon?

Is there a GPO which allows me to controls who can log on to a comptuer and when?

Find more posts tagged with

Comments

I'll double check, but as far as I know you control that through the user's account properties in ADUC. It's on the ACCOUNT tab - "log on to" and "logon hours" buttons.

zenboy

RZetlin wrote:

Is there a GPO which allows me to controls who can log on to a comptuer and when?

yes. It's called auditing. To enable auditing on domain, use Domain Controller Security Policy console; On local machine, use Local Security Policy console. Navigate to Audit Object Access and turn it on.
After this, you need to go to the Advancd Security setting and click Auditing tab on the object (ou, domain, etc.) and apply Successful or/and Failure checkbox (this process is similar to applying NTFS permission. This is a summary; you might need look up on this for details. Hope that helps.

sprkymrk

zenboy wrote:

RZetlin wrote:

Is there a GPO which allows me to controls who can log on to a comptuer and when?

yes. It's called auditing. To enable auditing on domain, use Domain Controller Security Policy console; On local machine, use Local Security Policy console. Navigate to Audit Object Access and turn it on.
After this, you need to go to the Advancd Security setting and click Auditing tab on the object (ou, domain, etc.) and apply Successful or/and Failure checkbox (this process is similar to applying NTFS permission. This is a summary; you might need look up on this for details. Hope that helps.

Actually, that will let you see who logs on and when, but not control it. I think he wants to control it. Maybe RZeltin can clarify for us.

vex

zenboy wrote:

RZetlin wrote:

Is there a GPO which allows me to controls who can log on to a comptuer and when?

yes. It's called auditing. To enable auditing on domain, use Domain Controller Security Policy console; On local machine, use Local Security Policy console. Navigate to Audit Object Access and turn it on.
After this, you need to go to the Advancd Security setting and click Auditing tab on the object (ou, domain, etc.) and apply Successful or/and Failure checkbox (this process is similar to applying NTFS permission. This is a summary; you might need look up on this for details. Hope that helps.

This does not CONTROL which users can login and when they can login. This only tells you who and when.

zenboy

my mistake. should have read his post more thoroughly.

jim_stasz

What a bunch-o-nerds....

(I mean that with the utmost respect....)

zenboy

jim_stasz wrote:

What a bunch-o-nerds....

(I mean that with the utmost respect....)

Ditto to you. After all, you are a member.

here is a great site about Controlling Logon Access with a Group Policy Object: http://www.cmu.edu/computing/andrew-windows/AndrewWindowsAdminGuide.html#LogonAccessGPO

Trailerisf

sprkymrk wrote:

I'll double check, but as far as I know you control that through the user's account properties in ADUC. It's on the ACCOUNT tab - "log on to" and "logon hours" buttons.

He is correct. You can limit logon hrs and locations at the same place.

sprkymrk

zenboy wrote:

here is a great site about Controlling Logon Access with a Group Policy Object: http://www.cmu.edu/computing/andrew-windows/AndrewWindowsAdminGuide.html#LogonAccessGPO

The only problem with that method is that you have to have several GPO's in place or a subOU for each. For instance, if I only want each user to be able to log on to his/her computer and no others, it would be near impossible with this GPO. This GPO is more for limiting a group of users to a set of computers. For example, I have used this for a school where I divided the faculty computers from the student/lab computers into seperate OU's. I then set this policy so that only users in the Faculty group could log on to computers in the Faculty OU.

If, on the other hand, I only wanted each teacher to be able to log on to the computer in their own class room, and each student to only log on to a specific computer (lab1, lab2, etc.) then it would not be feasable wth this policy. I would have to use the "user" properties sheet.

Olajuwon

jim_stasz wrote:

What a bunch-o-nerds....

(I mean that with the utmost respect....)