K12 Server 2008 r2 environment. Need to restrict student logons to the subnet of the computer. Students are logging in with ID's from other schools. Each school has its own subnet. Rather than list each possible computer as access for the login ID's, is it possible to restict/allow logins by subnet instead?

How many domains do you have? How many sites do you have? You may check if it is possible to create a script which read the IP address of the computer, compare it to the allowed subnets (Each group of students have their own allowed subnets). If the IP address belongs to an allowed subnet then the user is allowed to logon. If not, a logoff / shutdown script will run. I don't know if this is feasable because I never performed that before. So, I suggest that you post in "The Official Scripting Guys Forum!": http://social.technet.microsoft.com/Forums/en-US/ITCG/threads This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration

Active directory sites could be configured with each subnet. Login could then be restricted with a GPO based upon the site membership of a student.

Sounds good. Each site has its own subnet. I'm nust not seeing where to restrict a login by subnet within a GPO. Thanks

Sorry, I don't think I was very clear. I think this could be accomplished by creating active directory sites with each subnet/school http://technet.microsoft.com/en-us/library/cc780426(WS.10).aspx. Then creating and linking a gpo to each site allowing log on local rights to computers in the site for the particular users/group that should have access. I haven't done this before, but think it should work. Depending on your current setup and organization size this could be quite involved. Might look into scripting it as Mr. X suggested as maybe that's a better option. http://technet.microsoft.com/en-us/library/cc782048(WS.10).aspx

Hi MBland-GCSD , Thanks for posting here. Is this a single or forest domain active directory environment ? There is little tough on how to implement this restriction base on the subnet , but you may take look the “Allow log on locally” and “deny log on locally” policy entry of computer group policy settings. Allow log on locally http://technet.microsoft.com/en-us/library/cc756809(WS.10).aspx Deny log on locally http://technet.microsoft.com/en-us/library/cc728210(WS.10).aspx Another way you may take look is deploying 802.1X solution for each subnet , so that computer will not be allowed to access the network if the login account is not match the authorized account entries of network policies. 802.1X Authenticated Wired Access http://technet.microsoft.com/en-us/library/cc753354(WS.10).aspx Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi MBland-GCSD, Please feel free to let us know if the information was helpful to you. Thanks, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.