• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 267
  • Last Modified:

Restrict computers to specific user accounts in AD


I'm familiar with the user account option to restrict use of the account to a list of named computers.

What I want to do is the opposite. For certain computers I only want certain accounts to have access.

E.g. User U1 can login to all computers, but user U2 can log into most computers not five of them.

I could do this by setting allowed workstations for every account but, apart from being a lot work, this seems a clumsy solution.

Is there a better way?

W2003 domain, XP Pro clients.


2 Solutions
Hi leonst,

You may try grouping computers, may call it public (all workstation) and private(5 computers) when restricting /allowing users allow to log on to public group

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Almost all Group Policies have both positive and negative settings.  If you want the opposite, then just DENY permission to the list of users instead of GRANTING permission.

leonstAuthor Commented:
You're both correct, although what I really wanted to know was exactly how to do it.

I found this article:


and worked out that the policy I wanted was Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Logon Locally.

By specifying one group for this it seems to work fine.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now