Re: How can I prevent users from logging onto a specific machine

From: Roger Abell (
Date: 05/07/04

Date: Thu, 6 May 2004 18:26:44 -0700

This is actually a little trickier than it first appears.
In a domain environment you need to
remove Domain Users from the machine local Users group
remove Authenticated Users from the machine local Users group
sometimes add machine local accounts back into the Users group
   (if they are used but are not used for interactive login)
add those domain accounts that should be allowed console login
    into the machine local Users group

Then, if you control login using the User Right that states the
principles that are allowed local logon you should see that the
Users group is listed, if not add it, and also remove any domain
principals that might be listed there (if any; leaving admins)

Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"timg" <> wrote in message
> I want to restrict certain computers in our AD domain (windows server
> The machines I want to restrict are XP prof.  I want to allow users to log
> onto any machine in the domain be two specific ones.  On those I want to
> limit who can logon to a couple of users.
> Is there an easy way to do this?  I notice I can specify what machines a
> user can logon to, but that seems like a lot of maintenance to maintain
> list.  Any options?
> THanx!

Relevant Pages

  • Re: cant login using RDP even in Remote Desktop User group
    ... group policy that controls the 'Allow log on locally' and 'Allow logon ... > need to login remotely into the member servers using terminal client, ... > I put them in one global group and put this group into Remote Desktop ... > Users group, also grant Remote Desktop User group the right of logon ...
  • XP Security Policy issue with Remote Login
    ... As I tried to login the remote PC with the ... controller GPO for "Allow Logon Locally", but domain users group is already ... I also checked "Deny Logon ...