I am currently in the process of designing a new Active Directory (2012 R2), where the client has a specific requirement to restrict login to only the devices in the site in which they allocated to.
A Single Forest / Multi-Domain model has been suggested to me, where each site would be allocated it's own child-domain and all users allocated to that site would have their user object in that child-domain.
All users will be on thin-clients using Citrix, so I am able to set the domain name on the thin clients and lock that field out from users, however what I need to know is whether user logins can be restricted to a specific child-domain.
Note that as we are using thin-clients, I am unable to modify computer policies (ie. deny logon locally, etc)
Thanks!