Want to allow users to logon only to certain computers.

I am looking to grant access to a generic lab user account to be able to logon only to one of our many lab computers.  I know I can use the sub "Logon To" tab under the user "Account" tab in ADUC to do this, but it appears that I can only add 1 PC at a time.  We have 100's of lab PCs, so I am looking for a way to do this through a text file, or some other process.

Who is Participating?
DecKenConnect With a Mentor Commented:
How about doing the following:

Place all the Lab workstations into one OU in Active Directory (eg Domain\Lab Workstations).
Add your generic Lab account into a new OU such as Domain\Lab Accounts
Remove the Lab account from Domain\Domain Users group
Edit group policy for Domain\Lab Workstations to include Domain\Lab Accounts in the User group of all workstations in that OU

This will mean the generic account should be able to log into all Workstatins in that OU and not log into any other workstations in the domain.
AnthonyP9618Connect With a Mentor Commented:
A true lab should be completely separate from your production network, but I understand that this is not possible in all situations.  However, if you can... please, please, please keep them separate.

Here's what I would do....

Move the machines to their own OU, it would probably make sense to create the new OU somewhere under the current location of your Domain Computers.  For example, if your Domain Computers are located at contoso.com\Managed Computers, you would create a Lab OU at contoso.com\Managed Computers\Lab.  The reason for this is so that we can use inheritance.

Create a new GPO and link it to the new OU and give it a descriptive name.

Edit the GPO, under the User Rights Assignment, set the "Log On Locally" policy and only add the accounts you want to login to the computers you just moved to the Lab OU.  

When the computers finally get the policy updates, only the user accounts you added to the "Log on Locally" policy will be able to logon to the computer.  I would also suggest that you add an Administrative group to the same policy as well.  Domain Admins, or Lab Administrators...

Hope that helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.