Restrict login on a specific computer

By mreed ·
Have a Windows Server 2003 Std R2 Domain. Approx 100 computers and 150 users. Due to software requirements, all users must be admins. Several computers are mission critical and run Windows XP wi SP2. How can I restrict login on critical computers to a specific set of users and keep everyone else from being able to login to those computers?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Simplest way

by mikedyne In reply to Restrict login on a speci ...

I would guess would be to set up boot passwords on those machines you deem mission critical, and only tell those users who need them the password.

What about adding all the users that shouldn't use those PCs to a group in AD, then setting the NTFS settings of C to DENY these users any access?

Collapse -

Nope, don't modify NTFS

by cmiller5400 In reply to Simplest way

If you REALLY want to lock them out, in the local security policy of the PC to be restricted go to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignments, and then remove them from the Log on locally policy and add them to the "Deny Logon Locally".

Collapse -

Can you explain

by mikedyne In reply to Nope, don't modify NTFS

The advantages of your method over changing NTFS permissions? Just curious really, the more I can learn from here the better.

Collapse -

Changing NTFS permissions

by cmiller5400 In reply to Can you explain

Changing NTFS permissions doesn't disallow them access to the system, it just means they can't access the file(s).

Theoretically you could do that, but when the user logs in, they are going to see some error messages as they log in. It is even possible that the machine will lock up to the point that it will need to be rebooted hard. Why bother with tinkering with NTFS to "lock out" specific users when you can accomplish the same thing at the login screen? Restrict them in local security policy, and remove them from the local security groups.

Collapse -

A few thoughts

by cmiller5400 In reply to Restrict login on a speci ...

How are you setting up the users as admins? I hope not by adding them to the domain admin group! This should be easy because all you need to do is add the users to a domain group and only give that group admin access on that station. Remove the domain users group from the local users group on the pc's you wish to restrict.

Collapse -


by mreed In reply to Restrict login on a speci ...

The users are Administrators on the Local Machine, absolutely not on the Domain. I set up a Group Policy in the Domain restricting use of the Internet but it does not work.

Related Discussions

Related Forums