How to restrict use of a pc to one domain user only.

Archived from groups: microsoft.public.windows.server.general,microsoft.public.windows.server.security,microsoft.public.windows.server.setup,microsoft.public.windowsxp.security_admin (More info?)

How do I restrict "DOMAIN USER" other than DOMAIN ADMINS from using a
workstation?

Better yet, I am looking for a way to only allow a certain user to use a
workstation where no other user in the domain can use it. Well outside of
domain admin.


Rewording this all: How do i restrict logins to my workstation from any
other user in the domain.

I dont want someone sitting at my desk and using my pc. (note: i am the one
with the domain admin rights)
4 answers Last reply
More about restrict domain user only
  1. Archived from groups: microsoft.public.windows.server.general,microsoft.public.windows.server.security,microsoft.public.windows.server.setup,microsoft.public.windowsxp.security_admin (More info?)

    If the machine local Users group is still granted the Log on locally
    user right and it still has as a member Authenticated Users then
    any domain account can log in. You must break this cycle in one
    of a few ways. Example, Users contains the intended login account
    but not Authenticated Users, and other than Users and Administrators
    you do not have grants of the Log on locally user right.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "Backup" <backup@yahoo.com> wrote in message
    news:OpSNZd2RFHA.1396@TK2MSFTNGP10.phx.gbl...
    > How do I restrict "DOMAIN USER" other than DOMAIN ADMINS from using a
    > workstation?
    >
    > Better yet, I am looking for a way to only allow a certain user to use a
    > workstation where no other user in the domain can use it. Well outside of
    > domain admin.
    >
    >
    >
    > Rewording this all: How do i restrict logins to my workstation from any
    > other user in the domain.
    >
    > I dont want someone sitting at my desk and using my pc. (note: i am the
    one
    > with the domain admin rights)
    >
    >
    >
    >
  2. Archived from groups: microsoft.public.windows.server.general,microsoft.public.windows.server.security,microsoft.public.windows.server.setup,microsoft.public.windowsxp.security_admin (More info?)

    We have done a very similar thing for one of our student labs. In the
    lab, there is a subset of machines that are only to be used by students
    taking a certain class. To limit logons to the students taking the
    class, we have done the following:

    We removed “Users” from the “Log on locally” entry in the Local Policy
    of each machine. We put the subset of machines in an OU in Active
    Directory, then added groups (staff and special students, e.g.) to the
    “Log on locally” entry in the Group Policy for the OU.

    We did it this way because the students taking the class will change
    from semester to semester, and this way we only have to change the
    members of the group and not have to edit the Group Policy each
    semester.

    On 4/22/2005 11:18 AM Backup wrote:
    > How do I restrict "DOMAIN USER" other than DOMAIN ADMINS from using a
    > workstation?
    >
    > Better yet, I am looking for a way to only allow a certain user to use a
    > workstation where no other user in the domain can use it. Well outside of
    > domain admin.
    >
    >
    >
    > Rewording this all: How do i restrict logins to my workstation from any
    > other user in the domain.
    >
    > I dont want someone sitting at my desk and using my pc. (note: i am the one
    > with the domain admin rights)
    >
    >
    >
    >

    --
    Sandra L Miller
    Windows System Administrator
    Department of Computer Science
    University of Arizona

    "The opinions or statements expressed herein are my own and should not be
    taken as a position, opinion, or endorsement of the University of Arizona."
  3. Archived from groups: microsoft.public.windowsxp.security_admin,microsoft.public.windows.server.general,microsoft.public.windows.server.security,microsoft.public.windows.server.setup (More info?)

    The easiest and most simple way of doing this, is to modify the "Users" group:

    Remove:
    NT AUTHORITY\Authenticated Users
    <domain>\Domain Users

    Add:
    <domain user account>
  4. Archived from groups: microsoft.public.windows.server.general,microsoft.public.windows.server.security,microsoft.public.windows.server.setup,microsoft.public.windowsxp.security_admin (More info?)

    Hi,

    You could use Local or Group Policy for this where you specify which users
    have "Logon Locally" permission or "Deny Logon Locally".

    Be careful with these policies since you can lock yourself out of the
    computer/server. E.g. don't put your username in "Logon Locally" and then
    put Everyone or Domain Users in "Deny Logon Locally" policy. "Deny Logon
    Locally" policy will prevail and you will be locked out.

    Policy can be found under:

    Computer Configuration -> Windows Settings -> Security Settings -> Local
    Policies -> User Rights Assignment

    Log on locally
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/547.mspx

    Deny logon locally
    http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/537.mspx

    I hope this helps.

    --
    Mike
    Microsoft MVP - Windows Security

    "Backup" <backup@yahoo.com> wrote in message
    news:OpSNZd2RFHA.1396@TK2MSFTNGP10.phx.gbl...
    > How do I restrict "DOMAIN USER" other than DOMAIN ADMINS from using a
    > workstation?
    >
    > Better yet, I am looking for a way to only allow a certain user to use a
    > workstation where no other user in the domain can use it. Well outside of
    > domain admin.
    >
    >
    >
    > Rewording this all: How do i restrict logins to my workstation from any
    > other user in the domain.
    >
    > I dont want someone sitting at my desk and using my pc. (note: i am the
    > one with the domain admin rights)
    >
    >
    >
    >
Ask a new question

Read More

Domain Workstations Windows Server Microsoft Windows XP