Restrict which computers people can log in to

Posted on 2012-09-04
Last Modified: 2012-10-24
Hey Team,

Can we set which machines someone is allowed to log in to using SBS 2008? i.e. I only want Bill to be able to access Bill-PC, if he tries to access Bob-PC it rejects his advances.

Question by:optimus_nz
    LVL 9

    Expert Comment

    by:Ashok Dewan
    Move that certain PCs to OU and then create GPO for that OU and then
    In the GPO, under Computer...User Rights Assignment, set the "Log On Locally" policy and add only the users who you want logging in. Ensure you do the same for the "Log on via terminal services" policy.

    When the computers pick up policy, only the listed users will be able to interactively log on to the machines.

    If you want to prevent mapping network drives, NETBIOS access etc, also set the "Access this computer from the network" policy.

    MAKE SURE that you add "Administrators" to the "Log on Locally" and "Log on via Terminal Services" rights, and to the "Access this computer from the network" policy. Otherwise you will be locked out of the PCs and at the mercy of the users!! (Unless you move it to a different OU of course).

    NOTE: Active Directory must be installed on that SBS 2008
    LVL 74

    Expert Comment

    by:Jeffrey Kane - TechSoEasy
    @neil40m -- you seem to have never worked with an SBS before -- AD would ALWAYS be installed on it.

    @optimus_nz -- by default SBS 2008 will only allow LOCAL access to computers for all users and REMOTE access to a computer to just the designated user.  Are you trying to restrict LOCAL access?  If so, may I ask why?   Because this is generally not something that would be done as there is nothing of Bob's that can be accessed by Bill if he logs into Bob's computer with his own credentials.

    LVL 21

    Expert Comment

    by:David Atkin
    Jeff is correct - The user would log on with their own credentials and would not be able to access the other users documents providing that they are not saved on the PC's C: Drive.

    If you are trying to prevent access to files on the PC then I would suggest doing it by restricting permissions opposed to stopping users from logging onto the machine.

    By default domain users will have standard permissions and not have administrative rights on the PC - Unless specified through the SBS Console.

    Author Comment

    Hi Guys,

    Sorry for the delay. The request was that nobody could ever use somebody elses desktop - the boss doesn't want to see anyone elses username on his computer. It would seem someone used it while he wasn't there. It's not from a security perspective, it's from a "I don't want anyone touching my things" perspective. Apparently telling them not to use it is too hard...
    LVL 74

    Accepted Solution

    Boy, I sure hate it when business owners try to use technology to compensate for bad management.  Because it never works the way the boss intended...

    Anyhow, my venting aside, if it is just one machine, then it is quite easy.

    1.  Create a New User Role in the SBS Console based on the boss' user account.
    (click on his name on the USER tab and you'll see a task which says "Create a new user role based on this user's account properties")
    2.  Apply that role to the boss' account
    3.  Create a new Security Group
    4.  Add the "Standard User Role" to this new Security Group
    5.  On the boss' machine, open up Administrative Tools > Local Security Policy > Local Policies > User rights assignment > Deny log on locally --- add that Security Group to this setting, as well as the Deny log on through Remote Desktop Services.

    The reason I am having you do it this way is to be sure that you do not deny access to administrators, and it will also make it so anyone new that is added to the domain will also be denied access automatically.

    You could do step 5 through Group policy, but since its just a single machine, it really is simpler to just do it on that machine.

    Now, there is also a much simpler way... if he doesn't want to see anyone else's username on his computer you could just enable the "Interactive logon: Do not display last user name" setting found in Local Policies > Security Options.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Suggested Solutions

    I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
    If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now