{"id":67933,"date":"2006-02-17T08:18:00","date_gmt":"2006-02-17T08:18:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2006\/02\/17\/how-can-i-specify-the-computers-a-user-can-use-to-log-on-to-the-domain\/"},"modified":"2006-02-17T08:18:00","modified_gmt":"2006-02-17T08:18:00","slug":"how-can-i-specify-the-computers-a-user-can-use-to-log-on-to-the-domain","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-specify-the-computers-a-user-can-use-to-log-on-to-the-domain\/","title":{"rendered":"How Can I Specify the Computers a User Can Use to Log On to the Domain?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I configure a user account so that the user can only log on to the domain using specific computers?

— RB<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, RB. You know, at one point we had some really<\/I> good solutions for you; unfortunately, Microsoft\u2019s legal department said no to every single one of them. In their view, \u201cWe believe most Human Resources departments would frown on system administrators hitting their users over the head with a 2×4.\u201d<\/P>\n

Well, maybe. Although you\u2019ll never convince us that those people from Human Resources haven\u2019t thought about hitting their<\/I> clients over the head with a 2×4. And probably on more than one occasion. <\/P>\n

(Editor\u2019s Note: Yes, once again, the editor needs to step in and make a small, probably futile, attempt at keeping everyone out of trouble: Microsoft and the Scripting Guys do not promote, support, or have anything to do with violence in the workplace, or anywhere else for that matter. Well, okay, football is a little violent, and that\u2019s okay. And many people think boxing is okay, and that\u2019s pretty violent. All right, forget it; we\u2019ll let the lawyers figure it out.)<\/I><\/P>\n

Which means, of course, that all our solutions involving electric shocks, trap doors, and trained attack monkeys had to be thrown out. That left us with just one answer for you: a usable – albeit somewhat boring – solution involving ADSI. Something that looks a lot like this:<\/P>

Set objUser = GetObject _\n  (“LDAP:\/\/cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com”)<\/p>\n
objUser.Put “userWorkstations”, “atl-ws-01,atl-ws-02,atl-ws-03”\nobjUser.SetInfo\n<\/PRE>\n
Like we said, this was not our first choice. Still, it is<\/I> a bit easier to write and run a three-line script than it is to create a race of zombie slaves that will guard your computers and prevent unauthorized users from logging on. As you can see, there isn\u2019t much to this script. After binding to the Ken Myer user account in Active Directory it then takes just two lines of code to specify the computers that Ken can use to log on to the domain:<\/P>
objUser.Put “userWorkstations”, “atl-ws-01,atl-ws-02,atl-ws-03”\nobjUser.SetInfo\n<\/PRE>\n
In the first line we\u2019re simply assigning the allowed computers to the userWorkstations<\/B> attribute. Note the syntax here: we specify all the computer names inside a pair of double quote marks, separating each name with a comma. When doing this keep in mind what our goal is: we\u2019re saying that these are the only three computers Ken Myer can use to log on to the domain. You already know that, but we don\u2019t want people getting confused and thinking that we\u2019re denying Ken access to these computers. On the contrary: we\u2019re denying Ken access to every machine except<\/I> these computers.<\/P>\n
After assigning the computer names to userWorkstations we then call the SetInfo<\/B> method to write the changes back to the Ken Myer user account in Active Directory. And that\u2019s it; we\u2019re done. Which means we can save the catapult for another day.<\/P>\n
Of course, it\u2019s possible that you\u2019ll change your mind later on and want to give Ken the right to use any<\/I> computer to log on to the domain. Then what? <\/P>\n
Well, you could<\/I> simply give your zombie slaves two weeks notice. However, as we\u2019ve learned – the hard way – zombies don\u2019t take bad news very well. Consequently, your best bet might be to use another script to eliminate all the values in the userWorkstations attribute. When this attribute is blank, that means the user can log on to the domain using any computer:<\/P>
Const ADS_PROPERTY_CLEAR = 1<\/p>\n
Set objUser = GetObject _\n    (“LDAP:\/\/cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com”)<\/p>\n
objUser.PutEx ADS_PROPERTY_CLEAR, “userWorkstations”, 0\nobjUser.SetInfo\n<\/PRE>\n
Seeing as how we\u2019re a little busy right now we won\u2019t bother to explain how this bonus script works. We also won\u2019t talk about how you can remove a single computer from the userWorkstations attribute or how you can add a new computer to the list. After all, that\u2019s what the Microsoft Windows 2000 Scripting Guide<\/B><\/A> is for. <\/P>\n
Besides, the attack monkeys are here for their mid-year performance review. (To tell you the truth, other than that one regrettable moment at the company Christmas party they\u2019ve really had a good year so far.)<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I configure a user account so that the user can only log on to the domain using specific computers?— RB Hey, RB. You know, at one point we had some really good solutions for you; unfortunately, Microsoft\u2019s legal department said no to every single one of them. In their view, […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,46,3,20,5],"class_list":["post-67933","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-computer-accounts","tag-scripting-guy","tag-user-accounts","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I configure a user account so that the user can only log on to the domain using specific computers?— RB Hey, RB. You know, at one point we had some really good solutions for you; unfortunately, Microsoft\u2019s legal department said no to every single one of them. In their view, […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/67933","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=67933"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/67933\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=67933"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=67933"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=67933"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}