By default, if you , they’re mechanically added to the Domain Users group. In its flip, the Domain Users group is by default added to the native Users group on a website workstation when it’s joined to the AD area. This implies that any area consumer can go surfing to any laptop within the area community. In this text we’ll contemplate the principle methods of easy methods to limit consumer logon to the area computer systems.
Restricting User Account to Logon Only to the Specific AD Computers
In small domains you’ll be able to limit the consumer logon to area computer systems within the properties of every consumer account within the Active Directory. For instance, you need to enable a particular consumer to go browsing to his computer systems solely. To do it:
- Run the ADUC snap-in (Active Directory Users and Computers) by working dsa.msc command;
- Using the , discover the consumer account you need to limit entry and open its properties;
- Go to the Account tab and click on on the “Log On To” button.
- As you’ll be able to see, the consumer is allowed to go browsing to all area computer systems (The consumer can go surfing to: All computer systems). To enable a consumer to entry solely the precise computer systems, choose The following computer systems possibility and add the names of the computer systems a consumer can go surfing to;
Note. You should specify the complete NetBIOS or DNS laptop identify (don’t use wildcards). The worth just isn’t case-sensitive.
- You can add as much as 64 computer systems to this listing. If you attempt to add a 65th laptop, the next error message seems:
This property is restricted to 64 values. You should take away a few of the present values earlier than you'll be able to add new ones;
- Save the modifications. Now the consumer is limit to logon solely to the required AD computer systems.
How to Modify the LogonWorkstations Attribute in PowerShell?
It is sort of tiresome to limit consumer logon to area computer systems manually. You can automate this motion with PowerShell. The listing of computer systems a consumer is allowed to go browsing to is saved within the AD consumer attribute “LogonWorkstations”. For instance, our activity is to permit a particular consumer to go browsing solely to the computer systems, which names are listed within the textual content file computer systems.csv.
The script can appear like this:
$ADusername = ‘asmith’
$complist = Import-Csv -Path "C:PScomputers.csv" | ForEvery-Object
$comparray = $complist -join ","
Set-ADUser -Identity $ADusername -LogonWorkstations $comparray
Using the cmdlet, you’ll be able to show the listing of computer systems a consumer is allowed to go browsing to.
Get-ADUser $ADusername -Properties LogonWorkstations | Format-List Name, LogonWorkstations
Or you’ll be able to view the listing of computer systems within the ADUC console.
To add a brand new laptop identify to the listing, use this command:
$Wks = (Get-ADUser asmith-Properties LogonWorkstations).LogonWorkstations
$Wks += ",man-b2-wks2"
Set-ADUser asmith -LogonWorkstations $Wks
How to Restrict Users to Logon to the AD Workstation Using GPO?
In giant domains, it’s not possible to make use of LogonWorkstations consumer attribute to limit consumer entry to computer systems as a consequence of some limitations and the shortage of flexibility. Usually to forestall customers from logging on to some computer systems, group insurance policies are used.
You can limit the listing of customers within the native group Users utilizing the Restricted Groups coverage (Windows Settings -> Security Settings), however we’ll contemplate another choice.
There are two group insurance policies situated within the GPO part Computer Configuration -> Policies -> Security Settings -> Local Policies -> User Rights Assignment:
- Deny go surfing domestically – permits to limit native logon to workstation for particular customers or teams;
- Allow go surfing domestically – accommodates the listing of customers who’re allowed to go browsing to a pc domestically.
For instance, to forestall customers of a specific group from logging on to computer systems within the sure Active Directory OU, you’ll be able to create a separate consumer group, add it to the Deny go surfing domestically coverage and hyperlink the coverage to the OU containing the computer systems you need to limit logon to.
In giant AD domains you should use a mix of those insurance policies. For instance, you need to limit customers from logging on to computer systems in different OUs. To do it, create a safety group in every OU and add all OU customers to it.
$rootOU = “OU=Users,OU=UK,DC=corp,DC=woshub,DC=com”
$group = “corplon-users”
Get-ADUser -SearchBase $rootOu -Filter * | ForEvery-Object
Then allow the “Allow go surfing domestically” coverage, add this group to it (in addition to totally different administrator teams: Domain Admins, workstation admins, and many others.) and assign the coverage to the OU with the computer systems. Thus, you’ll enable solely the precise OU customers to go browsing to the computer systems.
If a consumer from totally different OU (who just isn’t allowed to go browsing domestically) tries to go browsing laptop, a window with the next message will seem:
You can’t go surfing as a result of the logon technique you might be utilizing just isn’t allowed on this laptop. Please see your community administrator for extra data.
The sign-in technique you are attempting to make use of isn’t allowed. For extra data, contact your community administrator.
Here are some essential notes relating to logon restriction insurance policies:
- Don’t use these insurance policies to limit entry to the servers or AD area controllers;
- Don’t allow these insurance policies by way of built-in GPOs: Default Domain Policy or Default Domain Controllers Policy;
- A proscribing coverage has greater precedence;
- Don’t overlook about service accounts (together with ), which can be utilized to run companies on computer systems (servers);
- Don’t use the insurance policies that limit native entry to your complete area. Link them solely to the precise OUs.