I have (simplified) two AD Groups for Users:
bgs.ac.at\Students
bgs.ac.at\Teachers
I have (simplified) two AD Groups for Computers (like in two rooms)
bgs.ac.at\Room1
bgs.ac.at\Room2
I want students to only be able to login computers in Room1.
I set up a Group Policy, ("denyStudents") to bgs.ac.at\Room2 and set
Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment. > Deny log on locally
At this point I am stuck…
How do I include bgs.ac.at\Students at this point??
Best Answer
It sounds like there's some confused terminology here between OU and group. An OU, or Organizational Unit, is basically where you apply group policy. A group is a bunch of users.
If you want to use the approach in your question, you'll need to create a group that contains the students and refer to that in your policy.
If you want to use Zoredache's approach (recommended), you'll need to create a group that contains the teachers and refer to that in a policy in Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups (replace Domain Users with the Teachers group).