question

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 asked GaryReynolds answered

Windows Server 2019 AD User and Group issue

Hi,

I have created a AD user and that AD user should be allow to access on specify computer or machine. I know I can create an OU and put the client Computer there and create a GPO.
But I have 100 Users and 100 Client Computers and I cannot create for each user or each client Computers an OU. Is there other way?

And I know, I can do that with Computer Management on the local machine, but it is not my favorite way

Regards

windows-serverwindows-server-2016windows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi,

You haven't provided any details on what you mean by access the computer, is this admins or RDP access?

One possible option:

You can use GPO GPP to allocate a delegation group to either administrators, or remote desktop group on the computer to match the access requirements. Then you can add the user to the delegation group to provide access. To simpfy to GPO management and remove the requirement to create a GPO for each delegation group, you can set the group to be assigned in GPP using environment variables %computername%-admin or %computername%-rdp, this way you can have a single policy setting for the all the computers.

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi PerserPolis-1732,

The best way to achieve this is to use the Log On To account policy in the user’s account in Active Directory (AD).

Open the user’s account Properties in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
Select the Account tab and click Log On To.
Then, click Logon Workstations, select The following computers, enter the name of the workstation you want to restrict the user to, and click Add.

That should be all you need to do to allow the user access to one specific PC. If you want to allow the user to access more than one PC, or multiple users access to a specific PC, you will need to create an OU.




--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PerserPolis-1732 avatar image
0 Votes"
PerserPolis-1732 answered

Hi,

I know that but it is not what I want. If I can not create 100 OUs or groups. Is there anyway to do that with PowerShell script or with OUs or with

%computername% -goupname

I have a PowerShell script that can add the domain user to the local admin group on the client machine, but I can run that script for one client machine at the same time. It means I have to run that script 100 times

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NewbieJones-6218 avatar image
0 Votes"
NewbieJones-6218 answered NewbieJones-6218 edited

You've posted a few queries related to the same topic, but I'm still not sure what you are trying to achieve.

At a guess, it sounds like you want certain users to have local admin rights to their machine, but only that that machine.

If this is a correct assumption. One method for this could be to create a domain group and add that to the local admin group via GPO. To all computers.

Add the users into this group, which means they have admin rights to all machines.

Then further restrict their access to specific machines via "Log On To". They technically have admin rights to all machines, but can only log into said machine.

This last bit can be done with PowerShell using the LogonWorkstations attribute via Set-ADUser as an addition to your user setup script if you have one.

You could add some error handling that only adds the group if the LogonWorkstations attribute is not NULL.

As a side question. Why do they need admin rights? Sort of breaks the least privilege rule.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.