locking an account to a computer

Hi guys

im not sure if im in the correct section but here we go.

where i work, we are installing 2 computers in the canteen, so people can STRICTLY browse the web and use microsoft office.  i've created a new OU and created a couple of accounts for these new computers so our proxy policy can be more strict on what users can access.  I started to create the group policy when something hit me.  the user could just log off the new account, and use their account and it will be just as open as before.

what im asking is, is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?

i did think about disableing logging off, but if the computer needs some admin-ing, that would work

we are using Windows Server 2003 and Windows XP

there must be a way, surely.

hope someone can help/advise (and sorry the explanation started to sound like a story a bit

kind regards,

jack lindsay
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hey Jack,

Give the following a try:

1. Create a Group Policy in the domain.
2. Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
3. Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
4 Close the GP, and apply it to an OU containing the computers you want to secure.

Let me know how you make out :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DonNetwork AdministratorCommented:
Actually all you have to do is in ADUC go to the users "Account" tab and click "Log on to"
Then add the computers that these accounts can only log on to.

Hey dstewartjr:

I was considering that as a possible solution, however i don't understand how that would restrict others from logging into the machine as you are not creating a deny list. My understanding is by setting the GPO setting its actually acting as an overide, denying authenticated user from loggin in and only allowing those in the list.

Does the "log onto" option do this same thing? If it does then that's awesome it will make this easier for myself to configure in the future as i have been using the GPO method.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

DonNetwork AdministratorCommented:
Looks like I only answered this part . " is there anyway i can lock these 2 new domain user accounts to ONLY these 2 computers?"
I believe you will also need to define these settings as well
 Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries

I think the easiest way would be to create a Security Group that contained only the accounts that you do NOT want to be able to log into those PCs.   This might be tricky as nested groups might end up including admin accounts,etc
Then you'd use the Deny Logon Local feature with that group.
jack-lindsayAuthor Commented:
thanks for all the replies,  i'll try this out when im back at the office, and i'll let you know which way works.  

thanks again

jack-lindsayAuthor Commented:
hi guys,

right then.

i've done the bit with the ADUC accounts.
where im having problems is denying other accounts to log on.

here's what i've done.
in the User Rights Mangagement:
set Allow local logon - admin account
allow log on through TS - domain admins only

deny local logon - domain\test1 (a test group i made in another OU)
deny logon as service - domain\test1
deny logon through terminal services - domain\test1

but i can still log on to the machine the the "test" account.  i've done countless restarts.  am i missing something here, but i would have thought with all those settings configured, at least the test account wouldn't log in.

please advise


Hummm... that should ahve done it.
I'd recommend that  you check everything again... particularly the contents of you test1 group
jack-lindsayAuthor Commented:
i think i've sussed it out.

these computers are wireless, so they wasn't pulling down the computer configuration before the interactive logon bit.  i had to physically connect it and now it works.  bit of a pain, but ohwell.

if you know a way i can set it to pull down that part of the GP before the interactive log on, that would be very helpful, otherwise i will just have to leave it as it is.  it still works as a want it to.  just if i have to change anything on the computer config, i have to hardwire it to pull the update down

thanks for all your help


Hey Jack you could try configuring the following:

Computer Config -> Admin Templates -> System -> Group Policy -> User Group Policy Loopback Processing Mode.

Set it to enabled and merge.

Run a gpupdate /force and restart the computers in question. This should force the computer based policy to execute on user logon.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.