[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to restrict logon to a PC

Posted on 2009-12-22
21
Medium Priority
?
318 Views
Last Modified: 2012-05-08
Hey all, we have an AD envrionment (win 2k3) here and our machines on XP...is there a way in AD (or local policies) to restrict access to a PC so that only certain users can log onto that PC?

Example:
PC1, only userA and userB should be able to log onto it

Thanks
0
Comment
Question by:dealstrike
  • 8
  • 5
  • 3
  • +3
21 Comments
 
LVL 11

Accepted Solution

by:
ICaldwell earned 800 total points
ID: 26105349
create group in AD, put everyone in it that should be able to logon to that
machine
then on that particular machine open the local security policy and on the
user rights node remove authenticated users (or everyone or both) from ALLOW
LOGON LOCALLY and put your group in there

this way only member of that group is allowed to logon locally to that
machine

-----------------------

You can configure the local Group Policy in

CompConf\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\ - Log on locally.

Put users that are allowed to log on at that machine in there. Remove
others. Be sure to not lock yourself out... try to not use the "Deny log
on locally" permission..
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 26105354
yes in active directory users and computers you can go in and set logon to only certain computers....let me fire up my test lab here and I'll follow up with a screen shot for you.
Thanks
Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 26105368
just realized my answer was the reverse of the question...i was thinking user1 only logs on to PC1 and PC2
Caldwell is leading you on the right patch for your requirements.
Thanks
Mike
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:dealstrike
ID: 26105376
mkline71...I know that method...but then I have to set it up for everyone...I just the rules and policies to be PC based preferably, this way I only have to manage the PC policies, and not create logon policies for every user
Thanks
0
 
LVL 7

Expert Comment

by:ARK-DS
ID: 26105524
HI,

If you have multiple machines on which you have to perform the same action, you can also put the machines in an OU and the create and link a GPO with the same setting that Cardwell has mentioned.

Thanks,

Arun.
0
 

Author Comment

by:dealstrike
ID: 26105530
Wont this affect any other group policies we have in place?
0
 
LVL 11

Expert Comment

by:ICaldwell
ID: 26105691
Yes, this would change the group policy you have in place...  This is not something most users want, usually if they are on your domain you want them to have access somewhere within your network, not just from a specific computer...

One alternative would be to create a login script which checks the computer name and validates the user for that computer... Also messy solution... I would go with the first solution if anything, I know its a pain to block users to a specific computer but its one of the easiest ways without changing a lot in you AD....
0
 
LVL 21

Expert Comment

by:farazhkhan
ID: 26111043
Hi,

You need to create a GPO and apply it to the PC(s).
In the GPO under Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment add the group of users you want to be able to login locally.

Enable the following settings:
Allow logon locally - your user group.
Allow logon through Terminal Services - your user group

After this, you need to define the deny logon locally.

Check the check box to "define settings", then remove any entries that are present.

That's right, you WANT to define the settings but have NO entries.

Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries

By doing this only the group of users you specify will be able to login to the workstation. Nobody else will be able to login to the workstation.

Courtesy: http://forums.windowsitpro.com/web/forum/messageview.aspx?catid=50&threadid=47826&STARTPAGE=1

Regards,
Faraz H. Khan
0
 

Author Comment

by:dealstrike
ID: 26112892
Thanks farazkhan....is there anything I needf to be careful about? like other policies they may not be assigned to them anymore since the users were put into a new group?
0
 
LVL 1

Assisted Solution

by:fadihaddad
fadihaddad earned 800 total points
ID: 26115554
through active directory users and computer edit the proprites of user and choose option the only logon on the following computers
0
 

Author Comment

by:dealstrike
ID: 26117381
fadihabad....I know that method...but then I have to set it up for everyone...I just the rules and policies to be PC based preferably, this way I only have to manage the PC policies, and not create logon policies for every user
Thanks
0
 
LVL 1

Expert Comment

by:fadihaddad
ID: 26117883
if i understand correctly you prefer to do this on pc based for multi pc , so you can a use a script to modify local security policy for each pc for setting " Logon Locally"
Go to Security Settings, Local Policies, User Rights..Double-click Logon Locally on the right pane
grouped by denied users or denied group

if you want via GPO
Create a Security Group and add the appropriate users to the group
Place all the computers into an OU that you want to restrict the users from logging on. (if it is all the computers you can just link the GPO to the domain; same thing with a Site)
In a GPO, configure the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally and add the group that you created.
Link the GPO to the OU, Domain, or Site
0
 

Author Comment

by:dealstrike
ID: 26119037
No, we just want to do this for ONE pc so that only two users can log onto it and no one else...thanks for your help
0
 
LVL 11

Expert Comment

by:ICaldwell
ID: 26134987
dealstrike, follow my first post and that will complete exactly what you are asking for... this will only apply to that one machine and not others within your organization....
0
 
LVL 1

Expert Comment

by:fadihaddad
ID: 26137204
its can be via local user policy on that machine to allow only two users and deny else users

also it can be done if the users will not logon other pc to do this on proproties of user on Active users and computers

hope this solve you issue
0
 

Author Comment

by:dealstrike
ID: 26137329
Thank you both, fahidadad...I see your directions above for disabling local login but then how can I allow the two users to log on to that pc?
0
 
LVL 1

Expert Comment

by:fadihaddad
ID: 26152045
add to deny all the user that haven't permission (make a group) and add two users to allow logon
0
 

Author Comment

by:dealstrike
ID: 26176124
thanks fadihahhad...so far I have done this:
Created a Security OU, put the two PCs in there
I went into group policy editor and am stuck as to where to create the GP and how to link it...
0
 
LVL 1

Expert Comment

by:fadihaddad
ID: 26177992
use group policy managment tools to create and link GP on oU that you have created
0
 

Author Comment

by:dealstrike
ID: 26191787
Ok, so far I have done
Created a security group and put the users in it
Create an OU and put the computer in it
Went into GP Management, created a GP and went to computer config\windows settings\security settings\local policies\user rights assignment\ and went into the 'Allow logon locally' and added the previously created security group there..and thats it..I didnt do anything with the 'deny logon locally', do I need to do anything there?
Also, how do I push the policy out to the desktop? Is there a place to check how often policies get pushed out by default?
Thanks
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 400 total points
ID: 26191858
Group policy refreshes every 90 minutes with a 30 minute offset.
Security settings are refreshed every 16 hours even if the GPO hasn't changed.
http://technet.microsoft.com/en-us/library/cc758898%28WS.10%29.aspx
 
So now that you have the policy in place and you are happy and want to affect more machines you link it to your OU that holds your computers (if you have your AD setup that way)
Thanks
Mike
 
 
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question