Let’s say you want to limit which techs can logon to some servers on a Domain (or multiple servers on multiple domains) with TechIDManager. This can be done inclusively or exclusively based on the use of “Allow log on locally” or “Deny log on locally”. This example uses the deny right under the assumption that by default people should be allowed to login, if you want it the other way, swap stuff around as needed.
The names in quotes for OUs, AD groups, and TechIDManager Groups are just suggestions, you can use any names you want as long as they match where needed.
On that Domain in AD:
Move those servers into a specific OU (“ServerLimitedAccess” for example) to limit access
Create an AD Group ((“LimitedServerLogin” for example)
Create a GPO on that OU to “deny log on locally” access to users in a the AD Group “LimitedServerLogin” for machines in the “ServerLimitedAccess” OU.
NOTE: At this point if you put users created by TechIDManager in the AD Group manually to test, or for any reason, TechIDManager will remove them from the group within an hour.
In TechIDManager:
Create a new right with the name matching the AD Group name (“LimitedServerLogin”, note this name must match the name in AD),
Create a RightsGroup (“LimitedServerLoginRightsGroup”) with that right (“LimitedServerLogin”).
Create a TechGroup with the techs that should NOT be allowed to logon to those servers (“LimitedServerLoginTechGroup”).
Create a triplet for “All Domains”, “LimitedServerLoginRightsGroup”, and “LimitedServerLoginTechGroup”
This will add the techs that should not be allowed to login to the “LimitedServerLogin“ AD Group on that domain and that will prevent login to those servers. This will ONLY happen on the domains where that AD group exists. TechIDManager will ignore that right (“LimitedServerLogin”) on places where it does not exist, so you can use the “All Domains” domain group for the triplet.
In the future if you run into this at other locations you only need to do the steps for the Domain and as soon as the AD Group exists, Techs will get added to it.
Does this make sense? If you have any questions, don’t hesitate to ask. We are always willing to help with rights implementation questions for TechIDManager.