How do I restrict Netbook to a single domain user based on Computer name

Posted on 2011-09-14
Last Modified: 2012-05-12
Dear team

We have 1500 student netbooks floating around at our school which has Windows 7 working fine . Problem we are having is other students who do not have netbooks using their friends netbooks which we wanted to stop happening this.

Netbooks are named in yr7-abc0001 format where abc0001 is their student ID. This student ID is also their domain user account which is used to logon to their netbooks. So I need some kind of assistance where I can lock the netbook to the owner so others cant logon.

Has anyone came across to sort this out,, any script that we can implement to stop other students using the netbooks.

I had no luck with VB scripting.... please help help
Question by:balwynhigh
  • 2
  • 2
LVL 10

Expert Comment

ID: 36541148

1) right click on active directory users name

2) go to account tab

3) click on Log on to button

4) it will open logon workstation window.

5) add computer name for that particular user or student.

now only that particular user can login into that netbook.

i also attach the screen shot.

is there any issues let me know.


Accepted Solution

netjgrnaut earned 500 total points
ID: 36542530
"now only that particular user can login into that netbook"

should say

"now  that particular user can login into that netbook *only*"

The solution shown restricts where the USER can logon; not who can logon to that COMPUTER.  Other users (who aren't so restricted) can still logon to that computer.  This would only work if you apply the setting to *every* student.

If I understand you, you want to make sure that only a particular student (plus some set of grown-ups - support staff, etc) can logon to each netbook.

I recommend using AD Group Policy to restrict interactive logon to only local Administrators, plus a new local group (created on each computer) called "AssignedStudent" or somesuch.

Then, either in device deployment or after the fact, you'd script adding a single domain user to this AssignedStudent local group.  The same script can be run on all computers, as it will build the name of the AD user to add to the local group (student account) from the laptop name.

Ideas for scripting to pull the laptop name and add a user to a local group using PowerShell can be found here:

Get Computer Name (and put it in a variable)

Add domain user to local group

Hope that gives you some ideas about how to solve this problem.

Author Comment

ID: 36546554
Yes the solution which was posted by Gaurov restricts the USER to where he can logon and not who can logon to the computer.

I would be able to setup the above solution in answer file when I image the new netbooks.

However I need a solution to fix the existing 600 netbooks with able to restrict only the owner of the netbook can logon and not others.

Work I have done so far which I am hoping you guys can shed some light on this:::

-- with Group policy I have removed Authenticated Users, Interactive, Domain Users from LOCAL USERS group. Which stopped domain users to be able to logon
-- Created a VB script to add domain user based on computer name (Luckily we have included students logon IDs in the computer name).. I was able to fetch the username from Computer name but the Problem with this script is It wouldn't add the user to LOCAL USERS group. I am thinking that it needs domain authentication for adding a domain user to LOCAL USERS group(domain\username).

Please can someone look at the code attached and modify so that it meets our requirements. Even if you guys can provide me powershell script to achieve this task much appreciated.

Thanks in anticipation.

Option Explicit 
Dim objAdmins, objUser, strComputer, userName, wshShell

Set wshShell = WScript.CreateObject( "WScript.Shell" )
strComputer = wshShell.ExpandEnvironmentStrings( "%COMPUTERNAME%" )
WScript.Echo "Computer Name: " & strComputer

On Error Resume Next

Set objAdmins = GetObject("WinNT://" & strComputer & "/Users")

userName = Right(strComputer,8)

WScript.Echo "uSER Name: " & userName
Set objUser = GetObject("WinNT://balwynhs" & "/" & userName)

Open in new window


Expert Comment

ID: 36548867
Try something like this...

Option Explicit

Dim objLocalGroup, objDomainUser

' Bind to local group object.
Set objLocalGroup = GetObject("WinNT://MyComputer/MyGroup,group")

' Bind to domain user object.
Set objDomainUser = GetObject("WinNT://MyDomain/JSmith,user")

' Check if user already a member of group.
If (objLocalGroup.IsMember(objDomainUser.ADsPath) = False) Then
    ' Add domain user to local group.
End If 

Open in new window

More discussion around this topic available here:

Hope that does the trick!

Author Comment

ID: 36557535
Thanks for all your hints.

I got it working by building a powershell script and that worked great.

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question