Re: Locking a user down to a single computer!

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 01/19/05 

Date: Tue, 18 Jan 2005 19:48:50 -0500

There are a lot of ways to do this. I might take a look at using the 'deny
logon locally' solution. It can be found here:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment

Use a security group and make that one specific user account object the only
member of that group. Then apply the Deny Logon Locally right to that
group. You would create an OU and move all of the computer account objects
( except the one where he/she is supposed to be able to use ) into that OU.
Then create the GPO and link it to that OU.

This might be one way to do this.

If moving all of the computer account objects EXCEPT ONE to a separate OU
causes a problem for you then you might want to take a look at Group
Filtering. 

-- 
Cary W. Shultz
Roanoke, VA  24014
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"QBob" <hintonrunce@nospam.hotmail.com> wrote in message 
news:O3Y$c3b$EHA.3528@TK2MSFTNGP10.phx.gbl...
> Hi, thanks for reading.  I am looking for some advice on locking a user 
> down
> to a single computer using GP or any other method; within a domain.  The
> user needs accesss to email, internet and network shares so I am a little
> limited in how locked down I can make the user.  I would like to do this
> within a seperate OU and not affect my entire domain by locking the person
> out of every PC at the domain level and then allowing through at a lower
> level, but am open to all ideas.  My network is a Windows 2000 network 
> with
> multiple DCs. Thanks!
>
>

Relevant Pages

  • Re: Locking a user down to a single computer!
    ... I might take a look at using the 'deny ... If moving all of the computer account objects EXCEPT ONE to a separate OU ... > out of every PC at the domain level and then allowing through at a lower ... My network is a Windows 2000 network ...
    (microsoft.public.windows.server.general)
  • Re: Locking a user down to a single computer!
    ... I might take a look at using the 'deny ... If moving all of the computer account objects EXCEPT ONE to a separate OU ... > out of every PC at the domain level and then allowing through at a lower ... My network is a Windows 2000 network ...
    (microsoft.public.windows.server.active_directory)
  • Re: Locking a user down to a single computer!
    ... I might take a look at using the 'deny ... If moving all of the computer account objects EXCEPT ONE to a separate OU ... > out of every PC at the domain level and then allowing through at a lower ... My network is a Windows 2000 network ...
    (microsoft.public.win2000.group_policy)
  • Re: Locking a user down to a single computer!
    ... I might take a look at using the 'deny ... If moving all of the computer account objects EXCEPT ONE to a separate OU ... > out of every PC at the domain level and then allowing through at a lower ... My network is a Windows 2000 network ...
    (microsoft.public.win2000.active_directory)
  • Re: Denying network access to all but one application
    ... there are certainly group polices that allow to sandbox the whole system, like removing explorer, deny access to the cmd, remove the start menu and more.... ... network folder, for allowing clients to access it. ... A mischevious person can use Explorer etc. to ...
    (microsoft.public.dotnet.security)
Quantcast