Lockdown Group

Lee HLee H Posts: 1,135Member
Hi

Can anyone help me with this, I need to find out the simplest way of implementing a lockdown on many PC's

We are in the process of visiting each PC in an organisation of 3000, we lockdown each PC to only allow people to log in if they are in a certain security group, lets call it the "lockdown group"

If anyone tries to log in to the PC who are not in the "lockdown group" it will not let them, in order for the user of the PC to be able to log in we are adding the following to a local group policy

Control panel - admin tool - local security policy - local policies - user rights assignment - log on locally "in here we add the group "lockdown group", the user is also a member of this lock down group

What I need to do is apply this at domain level but I dont want it to apply to all PC's as we have not visited all of them, we only want it to apply to PC's which we have done

Also just to add the function level of this doomain is "windows 2003 server interum" so group nesting is not an option

Any help would be great

Lee H
.

Comments

  • ClaymooreClaymoore Posts: 1,637Member
    You can selectively apply group policy in a combination of 3 ways:

    1. Organizational Unit - move the PCs to this OU after they have been locked down.
    2. WMI Filter - Probably won't help here unless you install a program as a part of your lockdown process whose existence can somehow be queried by WMI.
    3. Security Group - Computers can be members of security groups too. Create the GPO, only grant rights to the computer security group, and add computers to the group after they have been locked down.

    Create the GPO and grant your approved groups of users the 'Log on Locally' right. Then apply the GPO at the needed OU level and filter as necessary.

    BTW, any reason why you are still at the interim level? Do you have an NT4 DC around somewhere?
  • sprkymrksprkymrk Posts: 4,884Member
    Are you doing this so that only the actual assigned user of that computer can log in to it?

    If that is the case, I would go to the User properties in AD and on the "Account" tab, use the "Log on to" button and then add the computer name of the workstation they are allowed to log in to. This could all be done from your desk, rather than visiting each computer.
    All things are possible, only believe.
  • wedge1988wedge1988 Posts: 434Member
    Your best bet is to organise your active directory, and add groups and computers to ous, then apply group policies to each group.

    Computer Configuration > Windows Settings > Security Settings > Local policies > User Rights Assignment >

    either:

    "Deny log on locally" to deny user log-ons

    or

    "Allow Log on locally" to allow users access only.

    give it a go!
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • wedge1988wedge1988 Posts: 434Member
    @ sprkymrk

    If they did it that way and they wanted access to things such as Outlook Web Access, then they would be denied access! Ive done it before, it sucks lol. Good idea though!
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • sprkymrksprkymrk Posts: 4,884Member
    wedge1988 wrote: »
    @ sprkymrk

    If they did it that way and they wanted access to things such as Outlook Web Access, then they would be denied access! Ive done it before, it sucks lol. Good idea though!

    I don't follow you. How would setting the User properties to only allow logon to a particular workstation stop them from accessing a web site? And if indeed it is a weird MS thing, simply add the Exchange server to the list.
    All things are possible, only believe.
  • Lee HLee H Posts: 1,135Member
    @ Claymoore

    You can selectively apply group policy in a combination of 3 ways:

    1. Organizational Unit - move the PCs to this OU after they have been locked down.

    Cant do this, they already come under other GPO's so the computer account has to stay were it is

    2. WMI Filter - Probably won't help here unless you install a program as a part of your lockdown process whose existence can somehow be queried by WMI.

    We have W2K machines so this cant be done


    3. Security Group - Computers can be members of security groups too. Create the GPO, only grant rights to the computer security group, and add computers to the group after they have been locked down.

    This is the best way I just dont know the easiest and least admin effort to do it


    Create the GPO and grant your approved groups of users the 'Log on Locally' right. Then apply the GPO at the needed OU level and filter as necessary.

    BTW, any reason why you are still at the interim level? Do you have an NT4 DC around somewhere?

    Yes, well done sherlock, lol


    @ spymarky

    Are you doing this so that only the actual assigned user of that computer can log in to it?

    No, each user can log in anywhere, once we have visited each PC we need to stop other users logging in who we have not yet been to


    Thanks for your help guys
    .
  • HeroPsychoHeroPsycho Posts: 1,940Inactive Imported Users
    Lee H wrote: »
    3. Security Group - Computers can be members of security groups too. Create the GPO, only grant rights to the computer security group, and add computers to the group after they have been locked down.

    This is the best way I just dont know the easiest and least admin effort to do it

    Use Quest AD cmdlets:

    $computers = get-content computersyoucompleted.txt
    add-qadgroupmember -identity "Name of Security Group" -member $computers

    If you mark the computer accounts in AD that you have completed somehow, you can adapt the $computers variable to get those computers using a get-qadcomputer one liner with the appropriate filter.
    Good luck to all!
  • wedge1988wedge1988 Posts: 434Member
    sprkymrk wrote: »
    I don't follow you. How would setting the User properties to only allow logon to a particular workstation stop them from accessing a web site? And if indeed it is a weird MS thing, simply add the Exchange server to the list.

    im not usre to be honest, but it happened to me so thats how i know it does!

    Also, adding the exchange server to the list would probably allow the user to log onto the exchange server locally. i wouldnt advise that. If you lock them down in group policy then it doesnt override any other policies, as group policy is higherarchical and ad is absolute lol.

    Seriously though, try it if you dont believe me!
    ~ wedge1988 ~ IdioT Certified~
    MCSE:2003 ~ MCITP:EA ~ CCNP:R&S ~ CCNA:R&S ~ CCNA:Voice ~ Office 2000 MASTER ~ A+ ~ N+ ~ C&G:IT Diploma ~ Ofqual Entry Japanese
  • sprkymrksprkymrk Posts: 4,884Member
    wedge1988 wrote: »
    im not usre to be honest, but it happened to me so thats how i know it does!

    Fair enough, although your the first one I've heard that from. Perhaps something else in your environment combined with the "log on to" user attribute caused the issue?
    wedge1988 wrote: »
    Also, adding the exchange server to the list would probably allow the user to log onto the exchange server locally. i wouldnt advise that.

    The "log on to" does not GIVE them any special rights to any machines, they still need the normal access rights that are set in the security policy (Allow log on locally right).

    wedge1988 wrote: »
    Seriously though, try it if you dont believe me!

    I believe it happened to you. I don't believe it is normal behavior. I'm guessing it was a combination of things, but that's just a guess. I might do a quick test next week. icon_cool.gif
    All things are possible, only believe.
Sign In or Register to comment.