Certain computers in open areas such as a laboratory need to be locked down to only allow those users to logon that are authorized to use that computer. This is easily done with group policy.
Step 1: Create or select an organizational unit to which the policy will apply.
If you already have an organizational unit (OU) which contains the computers you wish to restrict, select it. otherwise, create an OU for the policy and move the computers that require restricted access into that OU. be sure to apply your other required group policy objects to the OU as well. To create an OU, open active directory users and computers right click on the domain, select new and then select Organizational unit name the OU and click OK
Step 2: Create a global security group to contain users.
You can apply your group policy to individual users but it is more readable if you have a group called allowed users for restricted lab and apply the policy to that. then you will get feedback when looking at users that they are a member of the lab and are allowed to logon to the computers. in active directory users and computers,
Step 3: Create the group policy object (GPO)
Open the Group Policy Management plug-in, right click on Group Policy Objects and select new, then. name the policy something like restricted lab allowed logons. or another appropriate name. I like to create lots of little policies that implement a few settings as opposed to one huge policy with far reaching settings because they are easier to implement and troubleshoot..
Step 4: Add your policies to the GPO
You are going to configure two Local Policies right click on your GPO and select edit expand computer configuration and Local policies click User Rights Assignment and double click Allow log on locally
Step 5: Add the group of allowed users
Once the properties for Allow log on locally are open, check define these policy settings and add allowed users for restricted lab you must also add the local administrators and also the domain admins groups.
Step 6: You must require CTRL+ALT+DEL for the policy to work
If you do not require the three finger salute to Microsoft, all log ons are allowed and you will get a notice that the Member of attribute is missing the polcy setting is in Security options and is called Do not require CTRL+ALT+DEL define the setting and disable it.
Step 7: Link the GPO to the OU and set the filtering
Now that you have your GPO built and applied to the group you created, it needs to be linked to the OU and apply the policy to your domain users. back in Group policy management, right click on the OU where you want the policy to apply and select link an existing GPO select the restricted lab allowed users policy from the list and click OK. in GPM you will see your policy under the OU and if you select the policy entry and select the scope tab you will see that the policy is linked to your OU but it is not enforced. right clickon the link and select enforced Then, under Security filtering, add domain users
Now you have your policy that enforces that only one group is allowed to log on locally to computers that are contained in the OU you created.add your allowed users to the security group you created and add the computers to the organizational unit. any user not in the group will be restrict3ed from logging on to the computer. This policy can be circumvented by local administrators by making someone who is not a member of the group a local administrator. and of course, domain admins have access. Be very careful where and to whom you apply this policy as one could theoretically make an entire domain inaccessible.
