Hi, I've a fairly standard SBS 2003 AD setup, that has an extra OU for a set of lab-type PCs. Corporate machines sit in the SBS Computers OU, Corporate Users sit in the SBS Users OU, but Ive also an account that is shared across the lab-PCs and had limited access to some domain shares etc. Both the lab PCs and the lab account sit in the Lab OU. This lab account also, indirectly though can login to non-lab-type PCs. Also theres a GPO that makes Domain Users part of Administrators and the lab account is a member. Now.. I can remove it from Domain Users, but that won't stop that account from being able to login to any PC, just not as an Admin.. So how do I restrict this shared user so it can only login to a group of PCs in a specfic OU? Theres >64 PCs, so I can't use the "Logon To" setting on the user account itself. I know about the "Log on Locally" GPO setting, but if I apply that to the lab-OU then the lab account can login to the Lab PCs - but does it stop that lab account from logging in elsewhere? I don't think it does. So I'm confused how to get to a secenario where: - Normal users can login to their Corporate PCs, as admins - The lab account can only login to lab machines, as an admin.

1. Create a group of 'Corporate Users', assign all corporate users to that groups and edit GPO to make them local admins. Note that this is highly unsecure configuration and I'd fired an administrator immediatelly because of that .) 2. Create a policy which assigns 'Allow Logon Locally' user right to Corporate Users and Administrators for the SBS Computers OU. Make lab account to be a member of 'Lab Users' group and assign 'Allow Logon Locally' user right to them and Administrators for the Lab PC OU. 3. Depending on requirements, you may also want to configure 'Deny Access this Computer from the Network" user right to Lab Users for the SBS Computers OU. Do not assign this right for DC computer, all the users need an access to the DC.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Hi, Thanks for the reply there. For 1) and 2), thats already been done, of a sort, but for some reason any user in the domain can logon to any PC, no matter the OU. I'm guessing theres a GPO somewhere set by SBS thats enabling that. For now I've taken #3, creates a "Deny Access" group and assigned the Deny policies in GPO to the Corporate account, therefore disabling the lab accounts access to corporate PCs... Its a Allow-then-Deny approach rather than a Deny-then-Allow which isn't quite what I wanted but will do for now.