Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 495
  • Last Modified:

Prevent an AD account from logging into Client PCs

I need to find some way to prevent active directory users from being able to log into client PCs while still retaining domain user status (so they can log into our sharepoint portal which is exposed to the outside via AD accounts).

Example:

I have a user account spuser that is only a part of domain users. I've denied it terminal services access and it's not a part of any other security groups, but it can still log into a PC on our network. That's the last security hole i need to close.
0
craskin
Asked:
craskin
3 Solutions
 
amit_gCommented:
In Active Directory you could restrict users to be able to log on to just a few computers. Open Active Dreictory and go to properites of the user. Go to Account tab and cick on the logon button. Change default setting of All computers to the following computer and only list the computers that you want to allow. Leave the list empty if you don't want to allow any.
0
 
Toni UranjekConsultant/TrainerCommented:
There is settings in GPO which could help you. You can use "Deny logon locally" from Computer configuration\Windows settings\Security settings\Local policies\User rights assignment.

0
 
Jay_Jay70Commented:
careful who you place in that policy, you can do some serious damage unless you are very clear on who you lockdown
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now