• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

Prevent an AD account from logging into Client PCs

I need to find some way to prevent active directory users from being able to log into client PCs while still retaining domain user status (so they can log into our sharepoint portal which is exposed to the outside via AD accounts).

Example:

I have a user account spuser that is only a part of domain users. I've denied it terminal services access and it's not a part of any other security groups, but it can still log into a PC on our network. That's the last security hole i need to close.
0
craskin
Asked:
craskin
3 Solutions
 
amit_gCommented:
In Active Directory you could restrict users to be able to log on to just a few computers. Open Active Dreictory and go to properites of the user. Go to Account tab and cick on the logon button. Change default setting of All computers to the following computer and only list the computers that you want to allow. Leave the list empty if you don't want to allow any.
0
 
Toni UranjekConsultant/TrainerCommented:
There is settings in GPO which could help you. You can use "Deny logon locally" from Computer configuration\Windows settings\Security settings\Local policies\User rights assignment.

0
 
Jay_Jay70Commented:
careful who you place in that policy, you can do some serious damage unless you are very clear on who you lockdown
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now