One of my colleagues asked me recently if it is possible to prevent a certain group of people to use certain PC’s on our company network. If you have a domain set-up, it is quite easy, provided your set-up is done well.
My meaning of “if your set-up is done well” does not refer to how well your server software has been installed or anything of the sort. I refer to how well you have grouped your users in the active directory. We created groups for each level of user in our organisation, so it was quite easy for me to block a particular group of people from using certain workstations.
In this case, I was asked to prevent the Electrical and Instrument guys from using the PC’s allocated to the Mechanical Foremen, as the Electrical & Instrument guys has their own PC’s to work from.
On the PC that I needed to block access, after logging in as an Administrator, I simply ran Group Policy Editor by typing “GPEDIT.MSC” in the run command block.
> Computer Configuration\
> Windows Settings\
> Security Settings\
> Local Policies\
> User Rights Assignment\
In “User Rights Assignment” find “Deny Logon Locally”.
Use the “Add User or Group” button to add the group from the Active Directory listing.
Do ensure that the correct group is now displaying as indicated in red below.
Adding the Electrical & Instrument group.
This will prevent any Electrical & Instrument user to log into one of the Mechanical Foremen PC’s. Something that is very important to remember is that you do not have what I like to call, a “cross-pollution of group membership” for any particular user. The meaning is that a user’s membership to a group is as exclusive as possible. You do not have the same user being a member of every group in your active directory. This might cause a person to be blocked when you didn’t mean to do so. So keep the membership simple and straightforward.
If you have an Admin Group used for people in the Admin Building and you have one user whose work is of such a nature that he needs access to Plant-related as well as Admin-related files, rather create a new Group in the Active directory than simply making this user part of both the Plant Group and the Admin Group.
Later if you block the Plant Group from certain hard-drive shares, this user might be blocked even though he actually needs access. The fact that he is part of the Admin Group means nothing, because he is also part of the Plant Group and therefore may be blocked.
Similarly, be careful to add “Users” or “Everyone” groups to be denied from accessing a resource. The Administrator is part of the “Users” and “Everyone” groups. Create your own sensible group structure and place your users accordingly.