This is worked example showing how to create a privileged access policy that affects machines within a particular organisational unit (OU) in the active directory.
The CREATIVE directory has been built so that
machines are placed in OUs relevant to their deployment.
This example shows how I setup a policy that allows me to
restrict access to a group of computers users by doing nothing
more than putting users into a group.
The computers affected by this policy can be moved in and
out of the appropriate OU to modify the effect this policy would
have on them.
The information in this document assumes you have read Active Directory: how to lock out certain logons on certain machines,a worked example of creating a lockout policy.
(Click on the small pictures to open a larger version in a separate window)
Who will be affected?
As with the lockout policy, create a local group
close to the OU that you will implement the policy
on.
In this example, I want to retsrict access to
staff members and all students enrolled in
Architecture papers in the year 2004. The groups above describe
this set.
At the time this was written it was not readily
possible (or desirable) to restrict access to staff in
Architecture alone.
Making policy
Using the Allow log on locally policy
item, I can restrict who is able to interactively log
on to a computer. This does not affect network access
to shared resources on the machine.
This particular policy overrides the default settings in a Windows computer. Default behaviour is to allow the members of the local groups guests through administrators to log on. As defined in the image above, people will have to be members of cas-accessonly or administrators to use the machine.
Created 26 March 2004 by Matiu Carr
Last modified: 26 March 2004
Contact: itadmin@creative.auckland.ac.nz