Prevent an AD account from logging into Client PCs

I need to find some way to prevent active directory users from being able to log into client PCs while still retaining domain user status (so they can log into our sharepoint portal which is exposed to the outside via AD accounts).

Example:

I have a user account spuser that is only a part of domain users. I've denied it terminal services access and it's not a part of any other security groups, but it can still log into a PC on our network. That's the last security hole i need to close.
LVL 12
craskinAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
amit_gConnect With a Mentor Commented:
In Active Directory you could restrict users to be able to log on to just a few computers. Open Active Dreictory and go to properites of the user. Go to Account tab and cick on the logon button. Change default setting of All computers to the following computer and only list the computers that you want to allow. Leave the list empty if you don't want to allow any.
0
 
Toni UranjekConnect With a Mentor Consultant/TrainerCommented:
There is settings in GPO which could help you. You can use "Deny logon locally" from Computer configuration\Windows settings\Security settings\Local policies\User rights assignment.

0
 
Jay_Jay70Commented:
careful who you place in that policy, you can do some serious damage unless you are very clear on who you lockdown
0
All Courses

From novice to tech pro — start learning today.