General discussion


Denying logon privilages

By Daddy123 ·
Hello all,
I work in a school district. We have a Windows server 2003 Active Directory domain. We have a few hundred laptops running Windows XP that the students use. Last year the students wreaked havoc on them, i.e. changing desktops, deleting and changing icons, deleting folders, etc. During this summer we have implemented a total lockdown of the laptops, (and PCs) through active Directory using Mandatory Profiles and Group Policies. But we did this for only a hand full of users that we want to use the laptops. Is there a way of denying, certain domain users logon privileges to the laptops? And if so, can it be done through active directory, or does it have to be done on the local machine?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by lowlands In reply to Denying logon privilages

You should be able to do it using a GPO if you're able to put your laptops in a seperate OU.

Put all the users in a group, and then under "Windows Settings\Security Settings\User Rights Assignment add the group to "Deny Log on Locally" and possibly "Deny Logon through TS".

If the seperate OU is not an option, you might have to run a script on your laptops to set those parameters locally.

Collapse -

by CG IT In reply to Denying logon privilages

you can specify a user to only log on to a specific machine. you do this in their Active Directory User account properties page.

If you want them to be able to log on to more than 1 machine but not all machines, then the first answer has a good suggestion for that.

Collapse -

by Dumphrey In reply to Denying logon privilages

If you can get the budget, Deep Freeze is a good product for just such a case.

Related Discussions

Related Forums