We help IT Professionals succeed at work.

i need to block 1 user from logging onto 1 Windows 2000 client machine & ONLY that machine

KNF asked
Last Modified: 2010-04-11
Running a Windows NT4 server
1 user keeps physcially logging onto a windows 2000 client although not authorised to do so.

i need to be able to block this users access to this single Win2k client - the user must still be able to log onto any of the other clients on the Domain un-hindered.

any thoughts much appreciated.
Watch Question


Open up your User Manager for Domains, double click on the troblesome user, click Log on To, click on the "User may log on to these workstations, now enter the workstations that this user is only allowed to log on to.



Hi hhp001,
thanks for your comment, however on the domain we have well over 800 clients.

The user in question can\does work on ANY and ALL of these machines and so i cannot limit the access this way.

All i want\need to do is block the access to this one client machine only

Many thanks for your input! much appreciated.


Ahhh, I see your point now! 800 PCs is alot!  What you could do is drop in a batch file to his User Profile\Startup Folder to get it to run a shutdown batch whenever he logs on.  That would be funny wouldn't it?  Give that batch file NTFS write permissions to you and read and execute permissions for his username.



Already looked at Batch files\log on scripts, and we cant use them due to the unstable and varied software environment around the Site.

There is already the generic logon.bat running which i cannot edit largely due to the same reasons as above!

Sorry to keep dashing your comments, keep them coming and hoepfully we can get this resolved!

Thanks again.


Ahh, oh well then..Will have to think about this, maybe the other experts can give you a better answer, but for now request that he be fired!


on the local  GPO for the computer.... deny log on locally

computer config
  windows settings
     local policies
        users right assignment
                deny log on locally

I assume you are running active directory, and that the computer has an account within this domain.  Find computer with whatever MCC you use, right click, go to properties, then the security tab.  This tab allows you to deny authentication for specific people, give it a try.  I believe any user denys will override group allows, but I could be wrong on that one.


PJ is right with his comments, the deny will overide this command. You will also though have to go to that particular workstation and remove the users logon from it as well. Also make sure he/she doesn't have any admin user accounts to get back in.
This one is on us!
(Get your first solution completely free - no credit card required)


Thank you all  for your input. very much appreciated!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.