• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 431
  • Last Modified:

How to restrict access to a PC to certain users via SBS 2003

I need help working on  SBS 2003 (Server 2003) domain network.

I want to configure so that the only users certain users can access a PC that uses an SBS 2003 (Server 2003) domain network. There are four of these users.

I want to make it so that all other users cannot use this PC to log on locally or to the domain.

There are several users I want to restrict access to this PC from, and several computers on the network. Going to each user profile and adding all the other computers thru the "Log on to" would be an administrative nightmare, now and when new computers are added to the domain.

Is there a way to do this?

Thank you.

1 Solution
You can do this via AD and Group Policy

Open the user's object properties, go to the account tab, and choose "logon to" button and choose what they can/can't logon to via the domain.

Group Policy:

create a security group and add the users you want to this group (can be done locally or via domain, just done locally for each machine if you want to go the all local route)

"In the GPO under Computer
Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment add the group of users you want to be able to login locally.

Enable the following settings:
Allow logon locally - your user group.
Allow logon through Terminal Services - your user group

After this, you need to define the deny logon locally.

Check the check box to "define settings", then remove any entries that are present.

That's right, you WANT to define the settings but have NO entries.

Enable the following settings:
Deny logon locally - Define but no entries.
Deny logon through Terminal Services - Define but no entries"

Maniac_47,your first option will not apply as he wants to deny access for all user except 4.
The first option you gave wil make user to login to that system only but other will also be able to login along with four,result will not be achieved.
Create a new OU,a new GPO,move the 4 computer modify the new GPO policy under
Configuration/Windows Settings/Security Settings/Local Policies/Users Rights Assignment
Remove everyone from login locally & through remote or terminal services.
Add the 4 user or the group you have created,will make you achieve the desired result.

Run gpudate /force on server & may require client syetem to reboot as setting done into computer configuration will not apply without restart.
Also the for machine needs to rebooted.
akus1Author Commented:
Thank you.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now