https://www.experts-exchange.com/questions/29056334/Steps-to-block-AD-IDs-from-login-to-30-critical-PCs.html
I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie
ID: 42292327 by removing "Domain Users" from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work. Why is it not working as Lee W suggested?
Under the local "Users" group, there are 2 more members (after removing "Domain Users"): could these 2 groups be the reason why the unauthorized AD Ids could still login?
1. NT AUTHORITY\Authenticated Users (S-1-5-11)
2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?
I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?
Currently if we issue "Net user /domain any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem
Likely, the two users in question had membership in a group that at some point became authorized.
The other difficulty inherent to a situation you find your self in.
I know users can be limited to the computers to which they can login, have not looked wherhe the computer object can be set within ad which users, groups are authorized to access this system.