How to prevent some user accounts to login certain computers

Posted on 2011-04-29
Last Modified: 2012-05-11

I have around 1000 student accounts and I dont want them to login on some computers in AD Environment. For example;
User1 should not login on Computer A, Computer B, Computer C, Computer D but can login the rest of computers.

How can I do that?
Question by:teomcam
    LVL 7

    Accepted Solution

    Create a group, add these users to this group. Configure a group policy which applies to the computers on which you do not want the users to logon by using the Deny logon locally option in:
    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
    add the group to this setting
    LVL 8

    Author Comment

    I'll try asap and will get back tou you.
    LVL 26

    Assisted Solution

    I would create a new global group with all the allowed users for Computers A~D (let's call it AllowedTeacherComputerAccess).
    Drop those computers into their own OU.
    Set a GPO that removes the Authenticated Users global group from those machines Users group
    Same GPO adds AllowedTeacherComputerAccess global group to the those machines' local Users group.

    LVL 1

    Expert Comment


    u can do that bu assigning the users the computers they can logon to.

    the local security policy of each workstation there is an entry called "Log On Locally". add the groups you want to allow to login to that computer and remove those you don't.


    long way out you can do

    Active Directory Users and Groups -> Users -> Username -> Properties -> Account -> Log On To

    then type the names of the computers the user is allowed to logon from. in

    which ever way you are comfirtable with
    LVL 21

    Expert Comment

    by:Joseph Moody
    Are these computers teacher computers? If so, set up 802.1X. This allows you to automatically assign computers to different vlans (ex: Teacher VLAN) if the user belongs to a security group.
    LVL 8

    Author Comment

    Aprx 450 computers we have and there is a general student account. From Prep to Grade 12 everyone was using this account. Now I started creating individual student account for per student starting from Grade 12-11-10-9-8.... But especially Grade 12 and Grade 11 students, to be anonymous they still using generic student account. I cannot remove that generic account because prep classes using it and they abviously not ready to use their won accoutn at the moment. Thats why I wanna block general student account on the computers which located in Grade 12-11s classrooms and IT Labs. We are allowing the students using teacher computers by teacher permission with their own account.
    LVL 21

    Expert Comment

    by:Joseph Moody
    I say go with what ashutoshsapre said. After creating the policy, create a security group called something like Limited Logon Computers and scope the policy to that GPO. Then, you can add and remove computers as you need to.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now