General discussion

  • Creator
  • #2257314

    Denying logon privilages


    by daddy123 ·

    Hello all,
    I work in a school district. We have a Windows server 2003 Active Directory domain. We have a few hundred laptops running Windows XP that the students use. Last year the students wreaked havoc on them, i.e. changing desktops, deleting and changing icons, deleting folders, etc. During this summer we have implemented a total lockdown of the laptops, (and PCs) through active Directory using Mandatory Profiles and Group Policies. But we did this for only a hand full of users that we want to use the laptops. Is there a way of denying, certain domain users logon privileges to the laptops? And if so, can it be done through active directory, or does it have to be done on the local machine?


All Comments

  • Author
    • #3213067

      Reply To: Denying logon privilages

      by lowlands ·

      In reply to Denying logon privilages

      You should be able to do it using a GPO if you’re able to put your laptops in a seperate OU.

      Put all the users in a group, and then under “Windows Settings\Security Settings\User Rights Assignment add the group to “Deny Log on Locally” and possibly “Deny Logon through TS”.

      If the seperate OU is not an option, you might have to run a script on your laptops to set those parameters locally.

    • #3214042

      Reply To: Denying logon privilages

      by cg it ·

      In reply to Denying logon privilages

      you can specify a user to only log on to a specific machine. you do this in their Active Directory User account properties page.

      If you want them to be able to log on to more than 1 machine but not all machines, then the first answer has a good suggestion for that.

    • #3209482

      Reply To: Denying logon privilages

      by dumphrey ·

      In reply to Denying logon privilages

      If you can get the budget, Deep Freeze is a good product for just such a case.

Viewing 2 reply threads