Restrict which computers people can log in to

Hey Team,

Can we set which machines someone is allowed to log in to using SBS 2008? i.e. I only want Bill to be able to access Bill-PC, if he tries to access Bob-PC it rejects his advances.

Who is Participating?
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Boy, I sure hate it when business owners try to use technology to compensate for bad management.  Because it never works the way the boss intended...

Anyhow, my venting aside, if it is just one machine, then it is quite easy.

1.  Create a New User Role in the SBS Console based on the boss' user account.
(click on his name on the USER tab and you'll see a task which says "Create a new user role based on this user's account properties")
2.  Apply that role to the boss' account
3.  Create a new Security Group
4.  Add the "Standard User Role" to this new Security Group
5.  On the boss' machine, open up Administrative Tools > Local Security Policy > Local Policies > User rights assignment > Deny log on locally --- add that Security Group to this setting, as well as the Deny log on through Remote Desktop Services.

The reason I am having you do it this way is to be sure that you do not deny access to administrators, and it will also make it so anyone new that is added to the domain will also be denied access automatically.

You could do step 5 through Group policy, but since its just a single machine, it really is simpler to just do it on that machine.

Now, there is also a much simpler way... if he doesn't want to see anyone else's username on his computer you could just enable the "Interactive logon: Do not display last user name" setting found in Local Policies > Security Options.

Ashok DewanFreelancerCommented:
Move that certain PCs to OU and then create GPO for that OU and then
In the GPO, under Computer...User Rights Assignment, set the "Log On Locally" policy and add only the users who you want logging in. Ensure you do the same for the "Log on via terminal services" policy.

When the computers pick up policy, only the listed users will be able to interactively log on to the machines.

If you want to prevent mapping network drives, NETBIOS access etc, also set the "Access this computer from the network" policy.

MAKE SURE that you add "Administrators" to the "Log on Locally" and "Log on via Terminal Services" rights, and to the "Access this computer from the network" policy. Otherwise you will be locked out of the PCs and at the mercy of the users!! (Unless you move it to a different OU of course).

NOTE: Active Directory must be installed on that SBS 2008
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
@neil40m -- you seem to have never worked with an SBS before -- AD would ALWAYS be installed on it.

@optimus_nz -- by default SBS 2008 will only allow LOCAL access to computers for all users and REMOTE access to a computer to just the designated user.  Are you trying to restrict LOCAL access?  If so, may I ask why?   Because this is generally not something that would be done as there is nothing of Bob's that can be accessed by Bill if he logs into Bob's computer with his own credentials.

David AtkinTechnical DirectorCommented:
Jeff is correct - The user would log on with their own credentials and would not be able to access the other users documents providing that they are not saved on the PC's C: Drive.

If you are trying to prevent access to files on the PC then I would suggest doing it by restricting permissions opposed to stopping users from logging onto the machine.

By default domain users will have standard permissions and not have administrative rights on the PC - Unless specified through the SBS Console.
optimus_nzAuthor Commented:
Hi Guys,

Sorry for the delay. The request was that nobody could ever use somebody elses desktop - the boss doesn't want to see anyone elses username on his computer. It would seem someone used it while he wasn't there. It's not from a security perspective, it's from a "I don't want anyone touching my things" perspective. Apparently telling them not to use it is too hard...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.