I'll need to revisit the above EE post : I've just implemented the simplest solution by Lee W ie
ID: 42292327 by removing "Domain Users" from the local "Users" group on 2 of the PCs, rebooted them but using one of the 'unauthorized' AD Id, could still logon to the 2 critical PCs, so this solution did not work. Why is it not working as Lee W suggested?
Under the local "Users" group, there are 2 more members (after removing "Domain Users"): could these 2 groups be the reason why the unauthorized AD Ids could still login?
1. NT AUTHORITY\Authenticated Users (S-1-5-11)
2. NT AUTHORITY\INTERACTIVE (S-1-5-4)
I guess it's not safe to remove the above 2 from local "Users" group, right?
I'm looking for the next simplest solution, so which among them are easiest
considering there are 30 PCs with 40 authorized staff?
Currently if we issue "Net user /domain any_AD_Id" , output will show
a line "Could logon to any workstations" : guess this is (one of) the problem