https://stackoverflow.com/questions/21902140
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianTo agree with @Vasili Syrakis, how you are describing your problem, you have to do this with firewalls, or routing on your managed switch.
AD is designed for authentication of users. All it does is verify that the user exists, is a member of the appropriate groups, passwords match, is not disabled, and that's it. AD does no validation based on IP address, and is not capable, or designed for doing that.
You have to change the way you are thinking. Don't think about trying to limit user authentication, let AD do it's job and authenticate the user. You have to think about it in terms of limiting access to the resource.
How you limit access to the resource really depends on what the resource is. If you want to limit it at the Server level (i.e. don't allow anyone from 192.168.1.xxx subnet get to me), then you have to have a firewall or switch that manages access control. Firewalls and access control lists are designed to do this. They won't let the user even reach the resource, and so they won't even get the chance to authenticate with AD.
If it is specific computers (not necessarily IP addresses) that you want to stop people from logging into, then you do that with a combination of AD Groups and Group Policy See: Deny and Allow Logons with Group Policy
