Question

  • Creator
    Topic
  • #2150683

    Restrict login on a specific computer

    Locked

    by mreed3 ·

    Have a Windows Server 2003 Std R2 Domain. Approx 100 computers and 150 users. Due to software requirements, all users must be admins. Several computers are mission critical and run Windows XP wi SP2. How can I restrict login on critical computers to a specific set of users and keep everyone else from being able to login to those computers?

All Answers

  • Author
    Replies
    • #2914503

      Clarifications

      by mreed3 ·

      In reply to Restrict login on a specific computer

      Clarifications

    • #2914498

      Simplest way

      by mikedyne ·

      In reply to Restrict login on a specific computer

      I would guess would be to set up boot passwords on those machines you deem mission critical, and only tell those users who need them the password.

      What about adding all the users that shouldn’t use those PCs to a group in AD, then setting the NTFS settings of C:\ to DENY these users any access?

      • #2914490

        Nope, don’t modify NTFS

        by cmiller5400 ·

        In reply to Simplest way

        If you REALLY want to lock them out, in the local security policy of the PC to be restricted go to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignments, and then remove them from the Log on locally policy and add them to the “Deny Logon Locally”.

        • #2914470

          Can you explain

          by mikedyne ·

          In reply to Nope, don’t modify NTFS

          The advantages of your method over changing NTFS permissions? Just curious really, the more I can learn from here the better.

        • #2914131

          Changing NTFS permissions

          by cmiller5400 ·

          In reply to Can you explain

          Changing NTFS permissions doesn’t disallow them access to the system, it just means they can’t access the file(s).

          Theoretically you could do that, but when the user logs in, they are going to see some error messages as they log in. It is even possible that the machine will lock up to the point that it will need to be rebooted hard. Why bother with tinkering with NTFS to “lock out” specific users when you can accomplish the same thing at the login screen? Restrict them in local security policy, and remove them from the local security groups.

    • #2914494

      A few thoughts

      by cmiller5400 ·

      In reply to Restrict login on a specific computer

      How are you setting up the users as admins? I hope not by adding them to the domain admin group! This should be easy because all you need to do is add the users to a domain group and only give that group admin access on that station. Remove the domain users group from the local users group on the pc’s you wish to restrict.

    • #2925296

      Clarification

      by mreed3 ·

      In reply to Restrict login on a specific computer

      The users are Administrators on the Local Machine, absolutely not on the Domain. I set up a Group Policy in the Domain restricting use of the Internet but it does not work.

Viewing 3 reply threads