Restrict logon on a pc to only one specific user

Posted on 2010-01-11
Medium Priority
Last Modified: 2012-08-14
I have one PC (Station1) that I need to restrict logon to only one specific domain user (User1) and of course Domain Admins. For all other pc's, any user can logon anywhere. What is the simplest way of implementing this ?
Presently, all users are allowed to logon to any pc. Running SBS2003 with XP pc's.
Question by:ndidomenico
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3

Accepted Solution

Kyosh earned 2000 total points
ID: 26283303
Use local security policy.
You didn't specify what OS the PC had but i believe this should be similar for most Windows Installations:
Control Panel -> Administrative Tools -> Local Security Policy ->
Security Settings -> Local Policies -> User Rights Assignment -> Allow Logon Locally

Expert Comment

ID: 26283311
Oh, sorry, didn't notice that you said XP.
Should work never the less.

Author Comment

ID: 26284792
In the Logon Locally list, the following users are presently listed: Administrators, Backup Operators, Power Users, Users, Guest.
I suppose I would have to remove Users and Power Users, and insert User1 ?
Question1: Does "Users" refer to domain users, or local users on that XP machine ?
Question2: Would default SBS2003 GPO override this setting ?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 26284917
Thost groups refer to the local groups, but if you have a look at the local groups you will see that the member of the local group user is probably Domain users.
Default GPO can override the setting if you've specified in the GPO another value for the policy.
But usually you specify in the default GPO that Domain Users are member of local group User and Domain admin are member of local group Administrators

To answer your question: Yes, remove Users and Power Users and insert User1.

Author Comment

ID: 26285178
In AD, the "Log On To..." setting (Server Management, Users, selected user, Account tab)  for all users is set to "This user can log on to: All Computers". Will this setting override any local setting I would make on that specific PC the way you suggested earlier ?

Expert Comment

ID: 26285252
That setting just restricts that given user from logging into any other computers, it does not restrict others from logging into that same computer.

To answer your question: No, that setting will not override any local settings in the way i suggested earlier.

Author Comment

ID: 26285296
Last question before closing this post. If we wanted to restrict each PC to a specific user, should we use the local policy method discussed in this question, or rather use AD and specify in the Account tab to which pc a user has the right to logon ? (or a GPO ?)

Expert Comment

ID: 26286153
That would have to be your choice, you have the choice between:
- AD: Define pc's each user can log on to
- Local: Define users that can log on to each PC.

What works best for you?

I would suggest the Local option if all PC's are easily accessable (ex. in the same building).
If your pc's are located at a remote site it would probably be easier for you to restrict access via AD.

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question