Re: How can I prevent users from logging onto a specific machine

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/07/04


Date: Thu, 6 May 2004 18:26:44 -0700

This is actually a little trickier than it first appears.
In a domain environment you need to
remove Domain Users from the machine local Users group
remove Authenticated Users from the machine local Users group
sometimes add machine local accounts back into the Users group
   (if they are used but are not used for interactive login)
add those domain accounts that should be allowed console login
    into the machine local Users group

Then, if you control login using the User Right that states the
principles that are allowed local logon you should see that the
Users group is listed, if not add it, and also remove any domain
principals that might be listed there (if any; leaving admins)

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"timg" <tim@deltacompsys.com> wrote in message
news:109i76dergngp57@corp.supernews.com...
> I want to restrict certain computers in our AD domain (windows server
2003).
> The machines I want to restrict are XP prof.  I want to allow users to log
> onto any machine in the domain be two specific ones.  On those I want to
> limit who can logon to a couple of users.
>
> Is there an easy way to do this?  I notice I can specify what machines a
> user can logon to, but that seems like a lot of maintenance to maintain
that
> list.  Any options?
>
> THanx!
>
>