Hi folks,
I have a scenario in which I need to control in great detail who can log on to each client machine in a domain:
We have 15 workshops each of which contains 2 servers (machine control software will be on these) and one or two workstations.
Our users fall into 3 categories:
- Operators need to be able to log on to workstations
- Supervisors need to be able to log on to workstations and Type 1 servers.
- Engineeers need to be able to log on to all machines.
So far so easy. The first complication is that these users should only be allowed once they have been trained for a particular workshop. The second is that this is a highly secure environment and so it must be achieved by whitelisting. This means I can only use Allow log on locally, I must not use Deny.
Working in a test environment I have set up 18 Security Groups, one for each workshop A through O and one for each class of user. A new operator gets added to the Operators group and as they are trained they are added to one or more Workshop security groups.
Ideally I would like to grant logon rights on each machine with boolean logic, for example Server 1 in Workshop C would have logon rights
- 'Domain Admins, ((Workshop C) AND (Supervisors)), ((Workshop C) AND (Engineers))'
I cannot see how to achieve this logical AND. At the moment it looks like instead of the 18 security groups above I'll have to create 45: WorkshopAUsers, WorkshopASupervisors, WorkshopAEngineers etc.
Can anyone offer any improvement? Perhaps by a script to call ntrights.exe?