Allow users to log on to computers in a domain

I work for a company we are on a domain. At the minute we have 8 meeting rooms and in those meeting rooms there is 8 mini PCs.

At the moment the only people that are allowed to log on to this PC are admins because in AD under our accounts we have the option 'log on to' all computers

So everyone else in the company is set up under their account as LOGONTO and then the PC that they are at.

What I am looking for is to make everyone able to log on to the meeting room PC's without specifying the pc names.

I have an OU in AD with all the meeting rooms.

There are over 100 in the company.

I want everyone to be able to log on to their own computers PLUS the 8 computers in the meeting rooms.

I have been trying for hours, tried group policy and I think I did everything correct but I get the error message your account is not configured to use this computer please try another computer'

Mini PCs have windows 7, we are using windows server 2008 to manage

How do I go about doing this?


Solution 1:

Instead of using the Log On To setting in your user's AD account settings, leverage the Allow log on locally group policy setting (found in Group Policy at Computer/Policies/Security Settings/Local Polices).

The Allow log on locally setting specifies local users or groups on a workstation that have permission to log on to that machine. The groups (and one user) that are granted permission to log on locally by default are:

Users
Administrators
Backup Operators
Guest

The AD security group Domain Users is automatically made a member of a workstation's local Users group when the machine is joined to the domain. This is how AD users get permission to log on to all domain computers. (Also, the domain group Domain Administrators is automatically made a member of the local Administrators group.)

You can accomplish your objective by either:

  1. Use group policy to customize the membership of your workstations' local Users group
  2. Use group policy to modify the Allow log on locally policy setting directly

Either of these approaches would necessitate abandoning use of the Log On To setting in your user's AD account settings in favor of controlling who can log on where based on their membership (or not) in a group that is either directly listed in the Allow log on locally GP setting, or is a member of a group listed in that same setting.

Solution 2:

There is unfortunately no possibility to specify groups of pc's or something like that.

What you could however do is script this ability with PowerShell. I'm not sure if 2008 already supports that though.

Something like:
Set-ADUser AntonioAl -LogonWorkstations 'AntonioAl-DSKTOP,AntonioAl-LPTOP'

You could fully script this to:

  • Read all Workstations DNS names in your Meeting Rooms OU
  • Go through all users
  • Read the current value for LogonWorkstations
  • Add missing Values from the Meeting Rooms List
  • Write the new value for LogonWorkstations to the user