I want to restrict user admin access with regards to their department.
I want to give access to users in Security Group A to computers in Security Group B and i want to create similar access for 9 departments.
I want to restrict this with Group policy so that if anyone adds users for local admins it would wipe out with policy refresh.
I am setting up a new W2012 R2 environment and need help for the same.
Any help is appreciated.
thanks,
Pasha
Best Answer
You will want to be very careful using this. Make sure to test it in your test OU.
There is a Computer side policy for local logins. Computer->Policies->Windows Settings->Security Settings->Local Policies->User Rights Assignment: Allow log on locally. You would want to add Security Group A to that and assign the GPO to an OU with the computer from Security Group B. You can either create an OU or put them in a group and use security filtering on the GPO.
You would also want to require ctrl+alt+del for logon. That is under: Computer->Policies->Windows Settings->Security Settings->Local Policies->Security Options: Interactive logon: Do not require ctrl+alt+del set to Disable.