Restrict which computers people can log in to

Posted on 2012-09-04
Medium Priority
Last Modified: 2012-10-24
Hey Team,

Can we set which machines someone is allowed to log in to using SBS 2008? i.e. I only want Bill to be able to access Bill-PC, if he tries to access Bob-PC it rejects his advances.

Question by:optimus_nz

Expert Comment

by:Ashok Dewan
ID: 38366687
Move that certain PCs to OU and then create GPO for that OU and then
In the GPO, under Computer...User Rights Assignment, set the "Log On Locally" policy and add only the users who you want logging in. Ensure you do the same for the "Log on via terminal services" policy.

When the computers pick up policy, only the listed users will be able to interactively log on to the machines.

If you want to prevent mapping network drives, NETBIOS access etc, also set the "Access this computer from the network" policy.

MAKE SURE that you add "Administrators" to the "Log on Locally" and "Log on via Terminal Services" rights, and to the "Access this computer from the network" policy. Otherwise you will be locked out of the PCs and at the mercy of the users!! (Unless you move it to a different OU of course).

NOTE: Active Directory must be installed on that SBS 2008
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 38367524
@neil40m -- you seem to have never worked with an SBS before -- AD would ALWAYS be installed on it.

@optimus_nz -- by default SBS 2008 will only allow LOCAL access to computers for all users and REMOTE access to a computer to just the designated user.  Are you trying to restrict LOCAL access?  If so, may I ask why?   Because this is generally not something that would be done as there is nothing of Bob's that can be accessed by Bill if he logs into Bob's computer with his own credentials.

LVL 22

Expert Comment

by:David Atkin
ID: 38371285
Jeff is correct - The user would log on with their own credentials and would not be able to access the other users documents providing that they are not saved on the PC's C: Drive.

If you are trying to prevent access to files on the PC then I would suggest doing it by restricting permissions opposed to stopping users from logging onto the machine.

By default domain users will have standard permissions and not have administrative rights on the PC - Unless specified through the SBS Console.

Author Comment

ID: 38434820
Hi Guys,

Sorry for the delay. The request was that nobody could ever use somebody elses desktop - the boss doesn't want to see anyone elses username on his computer. It would seem someone used it while he wasn't there. It's not from a security perspective, it's from a "I don't want anyone touching my things" perspective. Apparently telling them not to use it is too hard...
LVL 74

Accepted Solution

Jeffrey Kane - TechSoEasy earned 2000 total points
ID: 38449808
Boy, I sure hate it when business owners try to use technology to compensate for bad management.  Because it never works the way the boss intended...

Anyhow, my venting aside, if it is just one machine, then it is quite easy.

1.  Create a New User Role in the SBS Console based on the boss' user account.
(click on his name on the USER tab and you'll see a task which says "Create a new user role based on this user's account properties")
2.  Apply that role to the boss' account
3.  Create a new Security Group
4.  Add the "Standard User Role" to this new Security Group
5.  On the boss' machine, open up Administrative Tools > Local Security Policy > Local Policies > User rights assignment > Deny log on locally --- add that Security Group to this setting, as well as the Deny log on through Remote Desktop Services.

The reason I am having you do it this way is to be sure that you do not deny access to administrators, and it will also make it so anyone new that is added to the domain will also be denied access automatically.

You could do step 5 through Group policy, but since its just a single machine, it really is simpler to just do it on that machine.

Now, there is also a much simpler way... if he doesn't want to see anyone else's username on his computer you could just enable the "Interactive logon: Do not display last user name" setting found in Local Policies > Security Options.


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer: http://www.microsoft.com/downloads/details.aspx?FamilyID=DBAB201F-…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question