Restrict logon by subnet not computer name?
K12 Server 2008 r2 environment. Need to restrict student logons to the subnet of the computer. Students are logging in with ID's from other schools. Each school has its own subnet. Rather than list each possible computer as access for the login ID's,
is it possible to restict/allow logins by subnet instead?
April 7th, 2011 9:54am
How many domains do you have?
How many sites do you have?
You may check if it is possible to create a script which read the IP address of the computer, compare it to the allowed subnets (Each group of students have their own allowed subnets). If the IP address belongs to an allowed subnet then the user is allowed
to logon. If not, a logoff / shutdown script will run.
I don't know if this is feasable because I never performed that before.
So, I suggest that you post in "The Official Scripting Guys Forum!":
http://social.technet.microsoft.com/Forums/en-US/ITCG/threads
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft
Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 10:03am
Active directory sites could be configured with each subnet. Login could then be restricted with a GPO based upon the site membership of a student.
April 7th, 2011 10:16am
Sounds good. Each site has its own subnet. I'm nust not seeing where to restrict a login by subnet within a GPO. Thanks
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2011 10:48am
Sorry, I don't think I was very clear. I think this could be accomplished by creating active directory sites with each subnet/school http://technet.microsoft.com/en-us/library/cc780426(WS.10).aspx.
Then creating and linking a gpo to each site allowing log on local rights to computers in the site for the particular users/group that should have access. I haven't done this before, but think it should work. Depending on your current setup
and organization size this could be quite involved. Might look into scripting it as Mr. X suggested as maybe that's a better option.
http://technet.microsoft.com/en-us/library/cc782048(WS.10).aspx
April 7th, 2011 12:15pm
Hi MBland-GCSD ,
Thanks for posting here.
Is this a single or forest domain active directory environment ?
There is little tough on how to implement this restriction base on the subnet , but you may take look the “Allow log on locally” and “deny log on
locally” policy entry of computer group policy settings.
Allow log on locally
http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx
Deny log on locally
http://technet.microsoft.com/en-us/library/cc728210(WS.10).aspx
Another way you may take look is deploying 802.1X solution for each subnet , so that computer will not be allowed to access the network if the login account is not
match the authorized account entries of network policies.
802.1X Authenticated Wired Access
http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2011 2:03am
Hi MBland-GCSD,
Please feel free to let us know if the information was helpful to you.
Thanks,
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
April 11th, 2011 7:06am