• Creator
  • #2226423

    How do I restrict who can log onto a particular system?


    by engineer.soldier ·

    I have a particular computer on an active directory domain and I need to restrict who can log onto it. I have created some active directory security groups (example: group 1 is Finance, group 2 is Engineers, etc.). I need to restrict all Authenticated Users from logging onto a particular workstation connected to the network. I need only one particular active directory security group to have the ability to log onto this workstation (with their least privilege accounts (not power user or administrator)). Thank you for any assistance/ideas.

All Answers

  • Author
    • #2635164


      by engineer.soldier ·

      In reply to How do I restrict who can log onto a particular system?


    • #2635145

      Group Policy / Log on Locally

      by churdoo ·

      In reply to How do I restrict who can log onto a particular system?

      I would create an OU to hold this computer account(s), move the computer account(s) to the OU, then create a Group Policy on the OU with the Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment / Log on Locally policy modified to allow only the proper security group (plus Domain Admins as a safety).

      • #2635062

        Reference OU creation

        by engineer.soldier ·

        In reply to Group Policy / Log on Locally

        Thank you, great info. Unfortunately my Domain is CONUS wide and I only have control over the Users, Security Groups and Computers in my OU. I do not have Domain permissions to create any new OUs. Several months? back I had requested an additional OU for another project I was working, but the request was denied (was told that there were already too many OUs in the CONUS wide Forest). I will try to request another OU and see what happens. If any one else has additional ideas I would appreciate their feedback.

    • #2617859

      Check this

      by vsharma ·

      In reply to How do I restrict who can log onto a particular system?


      open DSA.msc(from run) right click on the Domain name and go to new and make organizational unit name it say vj ,then click on Domain here u will see all the comuters which u have added in ur domain. go to particular computer on which u want to gave acces to a particular Group and move this to Vj OU and then right click on the Vj OU and then go to properties , now go to Group policy tab and make a new GPO and then edit it
      go to windows setting\security setting\local policy\user right assignment\ on the right plane u wil see a policy (first policy) Accces this computer from the network . ADD the Particular group u wanna add to this . which will enable to run that particular computer which u have added in VJ OU.

      I think it will definately help u .

      if u hv any consern or any issue u can contact me

      • #2750841


        by drewdizzle ·

        In reply to Check this

        So I have the same issue. I made the OU and added a few computers. I created the GP and added the user group that I want to have access to this computer. Maybe I am not giving enough time for the GP to update, but I can use a non-priveledged user account to get right in. I have done a GPUPDATE and it still seems to not have any effect.

        • #2750822

          check affective

          by shasca ·

          In reply to Question

          What does GPRESULT show as the affective policies at the workstation in question? Check and adjust from that point on.

          Asking your own question isn’t that hard. You don’t need to recycle a 2yr old.

        • #2750111


          by drewdizzle ·

          In reply to check affective

          Well not to be harsh..

          But what the hell does it matter how old the original question was. I did a search for the answer I was looking for, and this seemed to be it. I replied to it because it looked like it should work, but it wasnt.

          Who are you to bag on me for doing what I did.

          Thanks for the helpful replies, but why dont you get off your high horse for a while there guy…

        • #2750651

          There IS another reason

          by ic-it ·

          In reply to OK

          to start your own question.
          As you pointed out the previous answers to the OP’s (Original Poster’s) were apparently not helpful.
          If you received a (new) helpful answer in your own thread, you could mark it as helpful to assist another looking for help.

          There is no need for thin skin here. 😉
          By the way was my answer helpful to you?

        • #2750546


          by drewdizzle ·

          In reply to There IS another reason

          Actually yes, your answer did help. I found the “ALLOW local login” and the “DENY local login”. Both are exactly what I was looking for.

          Thanks for the help on that. I dont mean to get all pissy, I just didnt think it was necessary for Shasca to say what he did.

        • #2750813

          Do it this way

          by ic-it ·

          In reply to Question

          One GPO to deny local logon to all but admins and the user group.

          Open the GPO linked to the OU that contains the computers in question.
          Open the COMPUTER configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignement.
          Here find the key “Log on Locally”.
          This is the one you want!
          Edit it.
          In it’s window, check “Define this Policy” and then add click on “Add user or group” button. Add the users and groups that you want to be able to log on interactively (that means at the machine). Make sure you include the Administrators group. This will be the admins for the local machine. It does not work without it.

          Then if you want those users to only logon to that group of computers;
          Open the admin tool AD Computers and Users.
          Navigate to the affected Users Group right-click and select properties.
          Select the Account Tab and then the Logon to Button.
          Add only the computer names that they will be allowed to logon to.

          Sometimes it does take a second logon or gpupdate /force to inact the GPO.

          Edited due to minor brain flatulation

    • #2750819

      Simple…but works

      by normh3 ·

      In reply to How do I restrict who can log onto a particular system?

      I have this same scenario at a client site where I found some people logging in where we didn’t want them too. In XP, change the security permissions of “Documents and Settings” to only include users that you want to use the PC. Make sure you remove any previously created profiles of those you want to prohibit. The same can be done in Vista by changing permissions of the “Users” folder.

    • #2779001

      Through Log on locally

      by raghu_dv11 ·

      In reply to How do I restrict who can log onto a particular system?

      1) on the workstation or victim computer that requried restrictions
      Start -> Run – > gpedit.msc -> computer configuration -> Windows settings -> Security settings -> Local policies -> user rights -> Log on locally -> remove all the users and groups and provide the group which requires access.

      2) Allow logon through terminal access ie by rdp-> provide the AD group which requires acess to the computer.

Viewing 4 reply threads