Hi All, I have domain server - Windows 2003 server. We have a department which has about 20 peoples and 15 computers. By now, I setup each users's property for letting the users just logon these 15 computers. What I did is that I went to Active Directory Users and Computers > User properties > Account tag> Logon to > type computer name, I add all computers name by manually. Becasue the department alwas hire new employee, it is very hard for me to add all these 15 computers for new user every time. I would like find some way to manage the computers and the users for the department. My goals is that let the users use only these 20 computers in the department. They can not use other computers in our company, but other users in our company can use the department's computers. Thanks in advance, --qq

You may want to create a "Template". In the template account properties, specify the name of those 15 computers. Whenever you create a new account, you can just highlight that user and click on "copy". The new account will contain the names of the computer in the "logon to" tab. You wouldnt be able to use a GPO effectively in this situation since you want to restrict these users to 15 systems, but allow other users in the company to log on these computers. Visit: anITKB.com, an IT Knowledge Base.

Thank you so much for your reply. I also received a email as the following: "You may want to create a "Template". In the template account properties, specify the name of those 15 computers. Whenever you create a new account, you can just highlight that user and click on "copy". The new account will contain the names of the computer in the "logon to" tab. Otherwise, you can use a group policy object and apply it to an OU that contains these 15 computers. You would modify the Windows Settings-->Security Settings--> Local Policies-->User Rights and configure the "Allow Logon Locally". Add the users to a security group and then use this security group in the "Allow Logon Locally" user right." Now, I am confusing about GPO. Can I use GPO for resolving my problem? Thanks in advance.

I removed the GPO paragraph as just after I hit the submit button. I mis-read your posting. After reading it again, I realized that your requirement is to allow these users only to logon these 15 computers. The GPO suggestion would not work as I described. If you were to use a GPO solution, you would have to do the opposite which would be place these users in a group, and create a policy for ALL other computers and configure the policy to "Deny Logon Locally" to the group you created for the users. This approach is not practical, but technically possible. For your requirement, I would recommend the use of a template account. The only problem would be is if you add more computers in the future, you would have to go back and update the user objects. Visit: anITKB.com, an IT Knowledge Base.

Thank you so much for your explain. If I use the template account, in the future, if I add more computers to the department, I have to go to each user's account to add the computers, right? If I have to do it, it will be very hard work for me. Is there any way which I could use for resolve my problem? Can I 1) create a group for the computers of the department, 2) create a user groups, 3) setup users group Logto tab to the computer group? Thanks in advance.

You wouldn't have to do each one independantly. If the users are in the same OU, you can highlight all of the users at the same time and click on properties. Then you would click on the Account Tab, enable the "Computer Restrictions" check box, then click on " Log On To". This will allow you to change the value for multiple users at one time. Is there any way which I could use for resolve my problem? Can I 1) create a group for the computers of the department, 2) create a user groups, 3) setup users group Logto tab to the computer group? No, that will not work.Visit: anITKB.com, an IT Knowledge Base.

Thank you so much for your help. At least, I can use the template account to resolve my problem. Regarding GPO solution which you mentioned above, you said that "This approach is not practical, but technically possible." It means that it works, but most of Administrator do not use the approach, right? Thanks a lot.

That is correct. I (nor would the majority of admins) would not use that GPO approach for your specific situation. Always keep this in mind---"Complexity is the enemy of reliability."Visit: anITKB.com, an IT Knowledge Base.

I truly appreciate for your help. Your answer resolves my problem. Thanks again.