We help IT Professionals succeed at work.

Allow only one domain user to login to workstation

rbudj used Ask the Experts™
I was asked this question, and to my knowledge the answer is no.

On a windows 7 computer connected to a server 2008 domain, is it possible to restrict access to this computer to one single user?

My guess is that anyone with a username in active directory can login but they want to know if regardless of permissions for different users, can logon to this computer be limited to a single user?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Create a new AD group, and add only member X to the group.  In ADUC, go to the properties and the membership of the group.  Add the new group - you should have only Domain Controller and the new user group.  Make sure your new group has full administrative access to the machine.

Read full here
If its a domain computer then is very, very easy. Just remove "Domain users" out of the users group under computer management on the Win 7 box. Make sure they are not in the Admin Group either. Then just add the single username to either Users or Administators group.


Ok thanks for the info. I will test this and post back.
I didn't mention this but it goes without saying....leave at least one Administrator in the Admin Group if your not going to make the user an Admin We always leave Domain Admins in the Admin group as a backdoor regardless of how we restrict indivdual user access to the PC.


Are you talking about the local policy?
I think so - the Domain Admins group should always be in the local Administrator group - but you can always just do one domain user or send out a group policy to add more groups to that group.
Here is a screenshot of the management screen showing exactly how my PC looks. Of course my personal acccounts are in the Admin Group. Some organizations put the users there and some only put them in the users or power users group.

Distinguished Expert 2018
There are even more solutions.
There exists a user privilege to "logon locally" ->open secpol.msc at the client and look [and edit] "local policies" "user right assignment".
Last but not least, in a domain we don't have to leave the logon right at defaults. Every newly created user can logon to any non-server installation. That's because on the logon tab of the user object we left the option "user may logon to any workstation" (or similar) checked. We don't have to.


Im still working on this. Whoever is rushing, please be patient


I am setting ths up in my test environment now. I will have more soon.


Having some issues. Still working on this.


Almost have my network rebuilt for testing. Sorry for the delay.