none
Active Directory Question

    Question

  • I have a group of users in Active Directory that I would like to only allow logon to certain Machines/Workstations. As of right now I am adding the computers to the users logon to manually, but now that is becoming time consuming. 

    My question is, is there a way to add a computers OU to a users or groups logon to?

    Thanks,

    • Moved by nzpcmad1 Tuesday, April 25, 2017 7:49 PM From ADFS
    Thursday, April 20, 2017 2:29 PM

All replies

  • Hi

    you can use

    https://gallery.technet.microsoft.com/scriptcenter/145213a1-0e5f-41fd-8fe6-119f989c792f

    or these

    http://portal.sivarajan.com/2011/05/modify-log-on-to-userworkstations-user.html

    Regards

    Thursday, April 20, 2017 2:47 PM
  • Thank you, I'll just need to modify this for my environment since all users in a group get these PC's not individual users. thanks. 
    Thursday, April 20, 2017 3:30 PM
  • Hi,
    You could use “Allow log on locally” group policy, this policy setting determines which users can log on the computer:
    Create an Organizational Unit for certain computers, move the machine accounts into this OU and link Group Policy Object which is configured with that policy setting.
    Please see details from: https://technet.microsoft.com/en-us/library/dn221980(v=ws.11).aspx
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, April 26, 2017 6:26 AM
    Moderator
  • Something similar to below should work:

    $User = Read-Host "Enter user DN or sAMAccountName"
    $OU = Read-Host "Enter DN of the Computer OU"
    
    # Retrieve computer pre-Windows 2000 names.
    $Computers = Get-ADComputer -SearchBase $OU -Filter * | Select sAMAccountName
    
    # Create comma delimited string of computer names.
    $UserWS = ""
    ForEach ($Computer In $Computers)
    {
        # Remove trailing "$" characters, to convert sAMAccountNames to NetBIOS names.
        $NetBIOS = ($Computer.sAMAccountName).Replace("$", "")
        If ($UserWS -eq "") {$UserWS = $NetBIOS}
        Else {$UserWS = "$UserWS,$NetBIOS"}
    }
    
    # Assign computer NetBIOS names to the userWorkstations attribute of the user.
    Set-ADUser -Identity $User -Replace @{userWorkstations=$UserWS}
    


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, April 26, 2017 2:12 PM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Saturday, April 29, 2017 10:51 AM
    Moderator