Windows Server 2019 AD User and Group issue

PerserPolis-1732 1,266 Reputation points
2022-05-09T12:12:41.487+00:00

Hi,

I have created a AD user and that AD user should be allow to access on specify computer or machine. I know I can create an OU and put the client Computer there and create a GPO.
But I have 100 Users and 100 Client Computers and I cannot create for each user or each client Computers an OU. Is there other way?

And I know, I can do that with Computer Management on the local machine, but it is not my favorite way

Regards

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,638 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,347 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,928 questions
0 comments No comments
{count} votes

Accepted answer
  1. Gary Reynolds 9,376 Reputation points
    2022-05-13T11:13:52.557+00:00

    Hi,

    You haven't provided any details on what you mean by access the computer, is this admins or RDP access?

    One possible option:

    You can use GPO GPP to allocate a delegation group to either administrators, or remote desktop group on the computer to match the access requirements. Then you can add the user to the delegation group to provide access. To simpfy to GPO management and remove the requirement to create a GPO for each delegation group, you can set the group to be assigned in GPP using environment variables %computername%-admin or %computername%-rdp, this way you can have a single policy setting for the all the computers.

    Gary.

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Limitless Technology 39,296 Reputation points
    2022-05-11T07:37:04.247+00:00

    Hi PerserPolis-1732,

    The best way to achieve this is to use the Log On To account policy in the user’s account in Active Directory (AD).

    Open the user’s account Properties in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
    Select the Account tab and click Log On To.
    Then, click Logon Workstations, select The following computers, enter the name of the workstation you want to restrict the user to, and click Add.

    That should be all you need to do to allow the user access to one specific PC. If you want to allow the user to access more than one PC, or multiple users access to a specific PC, you will need to create an OU.


    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

  2. PerserPolis-1732 1,266 Reputation points
    2022-05-11T09:38:22.277+00:00

    Hi,

    I know that but it is not what I want. If I can not create 100 OUs or groups. Is there anyway to do that with PowerShell script or with OUs or with

    %computername% -goupname

    I have a PowerShell script that can add the domain user to the local admin group on the client machine, but I can run that script for one client machine at the same time. It means I have to run that script 100 times

    0 comments No comments

  3. Newbie Jones 1,301 Reputation points
    2022-05-11T12:54:18.047+00:00

    You've posted a few queries related to the same topic, but I'm still not sure what you are trying to achieve.

    At a guess, it sounds like you want certain users to have local admin rights to their machine, but only that that machine.

    If this is a correct assumption. One method for this could be to create a domain group and add that to the local admin group via GPO. To all computers.

    Add the users into this group, which means they have admin rights to all machines.

    Then further restrict their access to specific machines via "Log On To". They technically have admin rights to all machines, but can only log into said machine.

    This last bit can be done with PowerShell using the LogonWorkstations attribute via Set-ADUser as an addition to your user setup script if you have one.

    You could add some error handling that only adds the group if the LogonWorkstations attribute is not NULL.

    As a side question. Why do they need admin rights? Sort of breaks the least privilege rule.

    0 comments No comments