• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 787
  • Last Modified:

How to prevent some user accounts to login certain computers


I have around 1000 student accounts and I dont want them to login on some computers in AD Environment. For example;
User1 should not login on Computer A, Computer B, Computer C, Computer D but can login the rest of computers.

How can I do that?
2 Solutions
Create a group, add these users to this group. Configure a group policy which applies to the computers on which you do not want the users to logon by using the Deny logon locally option in:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
add the group to this setting
teomcamAuthor Commented:
I'll try asap and will get back tou you.
I would create a new global group with all the allowed users for Computers A~D (let's call it AllowedTeacherComputerAccess).
Drop those computers into their own OU.
Set a GPO that removes the Authenticated Users global group from those machines Users group
Same GPO adds AllowedTeacherComputerAccess global group to the those machines' local Users group.

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Vishant GuptaCommented:

u can do that bu assigning the users the computers they can logon to.

the local security policy of each workstation there is an entry called "Log On Locally". add the groups you want to allow to login to that computer and remove those you don't.


long way out you can do

Active Directory Users and Groups -> Users -> Username -> Properties -> Account -> Log On To

then type the names of the computers the user is allowed to logon from. in

which ever way you are comfirtable with
Joseph MoodyBlogger and wearer of all hats.Commented:
Are these computers teacher computers? If so, set up 802.1X. This allows you to automatically assign computers to different vlans (ex: Teacher VLAN) if the user belongs to a security group.
teomcamAuthor Commented:
Aprx 450 computers we have and there is a general student account. From Prep to Grade 12 everyone was using this account. Now I started creating individual student account for per student starting from Grade 12-11-10-9-8.... But especially Grade 12 and Grade 11 students, to be anonymous they still using generic student account. I cannot remove that generic account because prep classes using it and they abviously not ready to use their won accoutn at the moment. Thats why I wanna block general student account on the computers which located in Grade 12-11s classrooms and IT Labs. We are allowing the students using teacher computers by teacher permission with their own account.
Joseph MoodyBlogger and wearer of all hats.Commented:
I say go with what ashutoshsapre said. After creating the policy, create a security group called something like Limited Logon Computers and scope the policy to that GPO. Then, you can add and remove computers as you need to.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now