Monthly Archive


Restricting a user’s computers

On the Account tab of an AD user’s properties there is a button labelled “Logon to …” that can be used to restrict the computers a user can logon onto. The default is that users can log onto any machine. If you want to script the restriction

if (-not (Get-Module ActiveDirectory)){            
  Import-Module ActiveDirectory            
$ou = "OU=England,DC=Manticore,DC=org"            
$ws = "Comp1,Comp2,Comp3,Comp4,Comp5"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADUser -Replace @{userWorkstations = $ws}            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
Set-ItemProperty -Path AD:\$dn  -Name userWorkstations -Value $ws -Force            
$name = "UserC"            
Get-QADUser -Identity $name |            
Set-QADUser -ObjectAttributes @{userWorkstations = $ws}            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
$user.userWorkstations = $ws            

Create a list on computer names – notice that there aren’t any spaces between the computer names – this is required.

Otherwise the scripts work in the same way as setting any other property

Leave a Reply