How Can I Specify the Computers a User Can Use to Log On to the Domain?

How Can I Specify the Computers a User Can Use to Log On to the Domain?

  • Comments 3
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I configure a user account so that the user can only log on to the domain using specific computers?

-- RB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, RB. You know, at one point we had some really good solutions for you; unfortunately, Microsoft’s legal department said no to every single one of them. In their view, “We believe most Human Resources departments would frown on system administrators hitting their users over the head with a 2x4.”

Well, maybe. Although you’ll never convince us that those people from Human Resources haven’t thought about hitting their clients over the head with a 2x4. And probably on more than one occasion.

(Editor’s Note: Yes, once again, the editor needs to step in and make a small, probably futile, attempt at keeping everyone out of trouble: Microsoft and the Scripting Guys do not promote, support, or have anything to do with violence in the workplace, or anywhere else for that matter. Well, okay, football is a little violent, and that’s okay. And many people think boxing is okay, and that’s pretty violent. All right, forget it; we’ll let the lawyers figure it out.)

Which means, of course, that all our solutions involving electric shocks, trap doors, and trained attack monkeys had to be thrown out. That left us with just one answer for you: a usable - albeit somewhat boring - solution involving ADSI. Something that looks a lot like this:

Set objUser = GetObject _
  ("LDAP://cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com")
 
objUser.Put "userWorkstations", "atl-ws-01,atl-ws-02,atl-ws-03"
objUser.SetInfo

Like we said, this was not our first choice. Still, it is a bit easier to write and run a three-line script than it is to create a race of zombie slaves that will guard your computers and prevent unauthorized users from logging on. As you can see, there isn’t much to this script. After binding to the Ken Myer user account in Active Directory it then takes just two lines of code to specify the computers that Ken can use to log on to the domain:

objUser.Put "userWorkstations", "atl-ws-01,atl-ws-02,atl-ws-03"
objUser.SetInfo

In the first line we’re simply assigning the allowed computers to the userWorkstations attribute. Note the syntax here: we specify all the computer names inside a pair of double quote marks, separating each name with a comma. When doing this keep in mind what our goal is: we’re saying that these are the only three computers Ken Myer can use to log on to the domain. You already know that, but we don’t want people getting confused and thinking that we’re denying Ken access to these computers. On the contrary: we’re denying Ken access to every machine except these computers.

After assigning the computer names to userWorkstations we then call the SetInfo method to write the changes back to the Ken Myer user account in Active Directory. And that’s it; we’re done. Which means we can save the catapult for another day.

Of course, it’s possible that you’ll change your mind later on and want to give Ken the right to use any computer to log on to the domain. Then what?

Well, you could simply give your zombie slaves two weeks notice. However, as we’ve learned - the hard way - zombies don’t take bad news very well. Consequently, your best bet might be to use another script to eliminate all the values in the userWorkstations attribute. When this attribute is blank, that means the user can log on to the domain using any computer:

Const ADS_PROPERTY_CLEAR = 1
 
Set objUser = GetObject _
    ("LDAP://cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com")
  
objUser.PutEx ADS_PROPERTY_CLEAR, "userWorkstations", 0
objUser.SetInfo

Seeing as how we’re a little busy right now we won’t bother to explain how this bonus script works. We also won’t talk about how you can remove a single computer from the userWorkstations attribute or how you can add a new computer to the list. After all, that’s what the Microsoft Windows 2000 Scripting Guide is for.

Besides, the attack monkeys are here for their mid-year performance review. (To tell you the truth, other than that one regrettable moment at the company Christmas party they’ve really had a good year so far.)

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Is there any way to use the ADS_PROPERTY_APPEND with a script like this? I'm looking to add more computers to the list of computers and not remove what is there.

  • Is there a way to determine whether the account is set to logon to "All Computers" vs "The following computers" that has no workstations defined?

    I'm writing a script that checks to see if a server is present in the Logon Rights and haven't found a way to determine the above scenario...any suggestions?

  • thank you