[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1477
  • Last Modified:

restrict domain user accounts to only allow logon to a specific machine


I'm doing some consulting at a company at the moment who asked me a very reasonable question, but I could not give them an answer.

They asked if it was possible to create a policy that will prevent them from logging onto any machine in the domain - IE, is there any way to associate their user account with a specific machine, and ensure that they can ONLY log onto this machine in the domain, as oposed to any machine of their choice.  Obviously, a domain user account can, by default, be used to log onto any domain attached machine.  Can you change this?

Windows 2000 SBS
AD Domain Environment
Windows XP SP2 Desktops

Thankyou all in advance for your assistance!!!!
1 Solution
You can configure this policy:
computer configuration\windows settings\security settings\local policies\User rights assignment
Look also here:
Hope it helps, Elbereth
Seelan NaidooMicrosoft Systems AdminCommented:
Goto the properties of the User Account -> Select the Account tab -> select Log On To -> Select 'the following computers radio button' -> enter the host name of the computer that are allowed to use.
SeanUK777 has the correct answer but i wanted to post a link about loopback processing since it goes hand in hand with this question.  What if you wanted a GPO to only be applied to a specific user(s) on a specific computer(s). to do this you would have to configure a loopback policy... see below:



Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now