Allowing Students and College Workers to Log Into Staff Computers

Only user accounts in the AD\faculty group are allowed to log on to computers in the cacomputers\Staff OU. This is done via the Group Policy object (GPO) named Staff Login Only, which is applied to the cacomputers\Staff OU.

There may be cases where student accounts, or college worker accounts, need to be able to login to staff computers. One example of this the front desk computer. The student workers at the front desk need to be able to log into that computer.

To allow a staff computer to be an exception to the Staff Login Only GPO, follow these steps:

  1. Determine which students need login permissions for the desired computer.
  2. Add the student account(s) to the corresponding group in Active Directory.
    1. For student workers at the front desk, this AD group is cagroups\StudentWrkrs-FrontDesk.
    2. For student workers in the business office, this AD group is cagroups\StudentWrkrs-BusOffice.
    3. If a group does not exist for the desired computer yet (ie. no students are currently allowed to log into the computer), create a new group and name according to the following naming scheme: StudentWrkrs-<Name or description of department>.
  3. If there is an existing GPO allowing students to log into the desired computer, the student(s) that have been added to the existing AD group should now be allowed to log into the computer (it may require a reboot). In this case, you can skip the rest of these steps.
  4. Create a new GPO named StudentWrkrsLogin-<Name or description of department> (eg. StudentWrkrsLogin-FrontDesk).
  5. Edit the GPO and change the following item: Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally
    1. Add the following groups to allow them to log onto the computer:
      1. Administrators
      2. AD\faculty
      3. AD\<NewlyCreatedGroupName> (eg. AD\StudentWrkrs-FrontDesk)
  6. Close the new GPO and then navigate to the Scope tab of the new GPO.
  7. Under the Security Filtering section, add the computer(s) the student workers should have access to into the Security Filtering list.
    1. Remove the Authenticated Users entry.
    2. Click the Add button, select Object Types, check the Computers object type, and search for the name of the computer.
  8. Exclude the computer from the Staff Login Only GPO, lest it override the newly created GPO.
    1. Add the computer to the AD group cagroups\ComputersExcludedFromStaffLoginOnlyGPO.
      1. This group is excluded from the Staff Login Only GPO by being denied the Apply group policy permission for that GPO.
  9. Finally, verify that everything is working by rebooting the desired computer and having the student worker log on to it.
  • workstations/allowing_students_to_logon_staff_computers.txt
  • Last modified: 2019/03/15 15:11
  • by ericclaus