restrict domain user accounts to only allow logon to a specific machine


I'm doing some consulting at a company at the moment who asked me a very reasonable question, but I could not give them an answer.

They asked if it was possible to create a policy that will prevent them from logging onto any machine in the domain - IE, is there any way to associate their user account with a specific machine, and ensure that they can ONLY log onto this machine in the domain, as oposed to any machine of their choice.  Obviously, a domain user account can, by default, be used to log onto any domain attached machine.  Can you change this?

Windows 2000 SBS
AD Domain Environment
Windows XP SP2 Desktops

Thankyou all in advance for your assistance!!!!
Who is Participating?
Seelan NaidooMicrosoft Systems AdminCommented:
Goto the properties of the User Account -> Select the Account tab -> select Log On To -> Select 'the following computers radio button' -> enter the host name of the computer that are allowed to use.
You can configure this policy:
computer configuration\windows settings\security settings\local policies\User rights assignment
Look also here:
Hope it helps, Elbereth
SeanUK777 has the correct answer but i wanted to post a link about loopback processing since it goes hand in hand with this question.  What if you wanted a GPO to only be applied to a specific user(s) on a specific computer(s). to do this you would have to configure a loopback policy... see below:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.