i need some help. i have 4 computers joined to a domain, each computer must have 5 users and those users have OU, 5users/ OU. how can i assign those users to their workstations, only to that workstation they can log-in and they are not allowed to log-in to other workstation.

Another thing is i want to set their logon hours to be from 7:45AM to 8:15AM. i don't know how to set it to that time and is it possible to set that setting to OU?

Recommended Answers

All 12 Replies

only to that workstation they can log-in and they are not allowed to log-in to other workstation.

You can do this with a Group Policy Object, but I dont beleive that it is worth the effort for 4 users. The easiest way to handle this is to access the user account(s) using the Active Directory Users and Computers console, find the users, access user properties, go to the Account Tab. Access the Logon Hours and Log On To buttons...


thanks for the answer. but i want to set the logon hours from 7:45 AM to 8:15 AM and i can't set the time i want onto that logon hours option.

I dont think you get that level detail.

Also, to restrict what users can sign into what machines, you use the PC's local security policy in:
Local Policies -> User Rights Assignment -> Allow log on Locally.

You'll want to leave administrators on there, and remove Users and guests, and then add in the domain\username for those allowed.

I've done this for C-level Execs in the past and it works well even if it is a an administrative headache.

If you want a one-to-one mapping for the user to log onto only one specific computer, the group policy option will be challenging. The Allow Logon Locally right in the policy works good if you want to allow a group of users to log on a group of machines. For the one-to-one, I'd suggest the user account option.

how can i assign that policy i made to a computer?

There are two types of policies that you can use Local or Group Policy Objects. Local policies are managed and applied to the computer, locally. While Group Policies are centrally managed and applied through Active Directory processes. You create Group Policies (GPOs) in Active Directory using the Group Policy Management Console (GPMC). GPOs are applied to Organizational Units (OUs). GPOs have two configuration sections (users and computers) and you use this containers to target settings to either users and/or computer objects in the target OU.

In the case of assigning the right "Log On Locally", thats a computer configuration, so the settings you store in the GPO will be affecting computer objects in the target OU.

The issue that I see here with using a GPO is that you indicated in your request that you wanted to assign a user to log into a specfic OU. A GPO will not give you this level of granularity without creating indiviual GPOs for each target OU. That is not feesible. This is why I recommended that you simply configure the user accounts, account tab, Log On To button.

With regard to the logon hours, the granularity that you are looking for is not built in. You could create your own custom solution by running a login script (within a GPO) that checks the current time and logs out the user if the time is not within the allowed period.

Thanks. i tried the "Log On To" button and added the just only workstation for that user and when i tried to log-in that user to other work station(which i didn't added to log-on-to button) i can still log-in. why is that? i searched everything already and tried anything i can try but it still won't work. i just want that user from an OU to be allowed to log-in to that workstation and and if it tried to log-in to other workstation it won't be allowed to log-in but i can't do it

when i tried to log-in that user to other work station(which i didn't added to log-on-to button) i can still log-in. why is that?

I assure you that is the procecure. Is it possible that you have multiple domain controllers and you did not allow enough time for replication to occur?

If you want to try the local policy option, you can at least test it by modifying the local computer policy.

Click Start --> Run --> type GPEDIT.msc [hit enter]. When the console opens...navigate to

Computer Configuration-->Windows Settings-->Security Settings--Local Policies-->User Rights Assignments

Look for the right.. "Allow Log On Locally".

If you modify this setting, it will apply to the local computer. Be careful not to remove any accounts that you do not want to allow to log on. You would most likely want to remove the "Users" group from this list because that will include all domain users. You can click "Add User or Group", then add the domain user account that you want to allow. Since you removed the "Users" group from the list, only the accounts listed in the list will be able to log on locally. Take note of the other entries in the list. After you make your changes, you can restart your computer.

If you wanted to create a GPO, the process is similar except that you use GPMC to create the GPO and link it to an OU.

Thanks. one more question how can i make that login script to set specific time for my users?

how can i make that login script to set specific time for my users?

That's beyond this thread because it will need further research as far as the type of script and logic within the script. I suspect that using vbscript would be the best option as it can be easily deployed within a GPO. In addition to the vbscript, you'll need to find or build a program that the script can run that will log off the user from the active console session. There are many examples online that you can find.

okay thanks for your help

type this in notepad, and save it as a ".bat" file, set as a logon script under user properties -> profiles on s share. Replace the servername with the name of your server.

"@echo off
net time \\server name /set /yes"

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.