Link to home
Start Free TrialLog in
Avatar of Optimus NZ
Optimus NZFlag for New Zealand

asked on

Restrict which computers people can log in to

Hey Team,

Can we set which machines someone is allowed to log in to using SBS 2008? i.e. I only want Bill to be able to access Bill-PC, if he tries to access Bob-PC it rejects his advances.

Ta.
Avatar of Ashok Dewan
Ashok Dewan
Flag of India image

Move that certain PCs to OU and then create GPO for that OU and then
In the GPO, under Computer...User Rights Assignment, set the "Log On Locally" policy and add only the users who you want logging in. Ensure you do the same for the "Log on via terminal services" policy.

When the computers pick up policy, only the listed users will be able to interactively log on to the machines.

If you want to prevent mapping network drives, NETBIOS access etc, also set the "Access this computer from the network" policy.

MAKE SURE that you add "Administrators" to the "Log on Locally" and "Log on via Terminal Services" rights, and to the "Access this computer from the network" policy. Otherwise you will be locked out of the PCs and at the mercy of the users!! (Unless you move it to a different OU of course).

NOTE: Active Directory must be installed on that SBS 2008
@neil40m -- you seem to have never worked with an SBS before -- AD would ALWAYS be installed on it.

@optimus_nz -- by default SBS 2008 will only allow LOCAL access to computers for all users and REMOTE access to a computer to just the designated user.  Are you trying to restrict LOCAL access?  If so, may I ask why?   Because this is generally not something that would be done as there is nothing of Bob's that can be accessed by Bill if he logs into Bob's computer with his own credentials.

Jeff
TechSoEasy
Jeff is correct - The user would log on with their own credentials and would not be able to access the other users documents providing that they are not saved on the PC's C: Drive.

If you are trying to prevent access to files on the PC then I would suggest doing it by restricting permissions opposed to stopping users from logging onto the machine.

By default domain users will have standard permissions and not have administrative rights on the PC - Unless specified through the SBS Console.
Avatar of Optimus NZ

ASKER

Hi Guys,

Sorry for the delay. The request was that nobody could ever use somebody elses desktop - the boss doesn't want to see anyone elses username on his computer. It would seem someone used it while he wasn't there. It's not from a security perspective, it's from a "I don't want anyone touching my things" perspective. Apparently telling them not to use it is too hard...
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial