I have a very small network with a handful of users and machines. I would like to control which users can access which machines by using Group Policy.
Here is a basic overview of my current setup.
All machines are in the Domain Computers group Two computers are in the Management Computers group. These are used for management employees that have access to more sensitive data.
All users are in the Domain Users group Two users are in the Management Users group. These users have access to everything Domain Users do as well as additional file shares.
I have a Default Computer Policy that I use to apply global settings to all machines on my network. This includes settings such as firewall exceptions for Remote Desktop, and adding Domain Users to the local Administrators group for the machine. This policy applies to the Domin Computers group. I am also setting the Allow log on Locally and the Allow Log on through Terminal Services rights to apply to Domain Users
I have a Management Computer Policy that I would like to use to override specific settings that are in the default computer policy. Namely, I am setting the Allow log on Locally and the Allow Log on through Terminal Services rights to only include the Management and Administrators groups.
All of these policies are enabled and linked to my root domain, I am not using any OUs. I've read that for a network this small, OUs are overkill and should not be necessary. I have set the link order on this domain so that the managment policies are at the top, and the normal user policies are below, ending with the Default Domain Policy.
I would expect that the Log On settings in my Managment policy would override my default computer policy. However, when I look in the Local Security Policy for a computer in the Management Computers group I see the groups specified in my default settings, not the Management Policy. I have tried using gpupdate /force and also restarting the maching, and it does not do the trick. I am able to log in using a user that is just in the Domain Users group.
What am I misunderstanding here, and what should I do to accomplish what I'm going for?
Use an OU - there is no such thing as a network too small to use an OU. Apply the policies to the OU as you can't apply Group Policies to the default users and computers container.
If you want to use this setup, I would create a "Computer" OU, move all the regular computer accounts to that OU and apply the default comptuer OU there. Create a child OU "MgmtComputers" OU off the Computer OU and apply just the Management computer OU there.
Edit: BTW - if you are setting "domain users" as local administrators in your default computer policy and allowing "Log On Locally" to include the administrator group, since every domain user is a local admin, it would still allow every user to login to every computer.