Restrict logon with Group Policy
Posted on 2004-03-22
I have a Windows 2k domain with XP workstations. I have one workstation that I want to restrict logon to one user, let's call him joe. I would like to make this change on the server rather than on the client to make it easier to manage.
I created a new OU and placed the computer in that OU. I then created a new group policy object for that OU and I defined the 'Log on Locally' to have just joe in the list.
I then when to the client machine and ran gpupdate and restarted. I tried logging on with a different user(besides joe, and not an aministrator) and it still let me login.
I looked at the Local Security Policy on the client and it had inherited the correct settings from Active Directory - that is, Log On Locally had Administrators(which I guess is just thrown in by default) and Joe in the list. I could tell that it had inherited because the icon was different and I was not able to update it.
So, even through only Administrators and Joe are in the list, it is still letting others logon. The only way that I have found to keep other users out is to add them to the Deny Log On Locally but I don't want to use that because then I would have to modify that list every time I create a new user.
Also, I do not want to create a group that contains all users except Joe.