Allowing only certain users to login

On a Active Directory domain network is there a way to allow just a group of users to login to a specific machine? If so what is the best way? Step by step instructions would be good. Thanks

2008 server with Windows 7 clients
Thomas NSystems Analyst - Windows System AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
The easiest solution would be by denying local login to a specific group through secpol.msc

Run (Win key + R)
secpol.msc - Enter
Expand Security settings
Expand local policies
click on user rights assignment
Double click deny logon locally
Add users or groups you want to deny in that box.

Here is an article and step by step on how to do this with group policy:
http://4sysops.com/archives/deny-and-allow-workstation-logons-with-group-policy/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Radhakrishnan RSenior Technical LeadCommented:
Hi Thomas,

Yes, you can do this via GPO but you need to do few steps to achieve this.

1) Create a OU and place the computer on this OU.

2) Create a new GPO from (gpmc>>Group policy objects>>Right click and new)>>Right click and edit the newly created GPO>>Computer Configuration>>Policies>>Windows settings>>Security settings>>Local Policies>>User Rights Assignment>>In the right hand side, Access this computer from network>>Add the appropriate users/groups.

Link this GPO to the OU where the computer resides.

Good luck
0
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Thanks guys, so if I create a small group and put them in the allow but they are part of the bigger group that I deny will they still be able to login?

For example: Tom is part of the "everyone" group thats denied but I created a small group "IT" and he is part of that group as well that I allow. Will he still be able to login?

I hope that makes sense.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

becraigCommented:
Deny privileges override allow privileges.

Your best bet is instead of tinkering with DENY simply have no-one in allow except the groups you want.
Windows uses the concept of implicit deny so if you have explicit permissions declared and a certain user or group is not in allowed as a part of that action then he or she is automatically denied.
0
compdigit44Commented:
In Active Directory Users and Computer user each user's account you can specify which computers they are allowed to log into.
0
LeeTutorretiredCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
becraigCommented:
is there a way to allow just a group of users to login to a specific machine? If so what is the best way? Step by step instructions would be good
I think the following comments clearly answered the initial question and the follow up questions:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28492693.html#a40246336

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28492693.html#a40246359


Follow up question:
Thanks guys, so if I create a small group and put them in the allow but they are part of the bigger group that I deny will they still be able to login?

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_28492693.html#a40246502
0
NetminderCommented:
Force-accepted to close.

Netminder
Senior Admin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.