Sign in with
Sign up | Sign in
Your question

deny user from access a pc

Last response: in Windows 2000/NT
Share
Anonymous
February 23, 2005 10:35:10 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am looking for an easy way to prevent a valid domain user account from
accessing certain pc's on our domain. Can this be done from Group Policies
in AD. I have serveal department managers that don't want their staff to user
their pc.
Thanks for any suggestions

More about : deny user access

Anonymous
February 23, 2005 2:49:50 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

The setting you need is under Computer Config > Windows Settings > Security
Settings > Local Policies > User Rights Assignment. Add the required
accounts to the 'Deny Logon locally' bit and apply the GPO to the managers
PCs.

Alternatively, just tell the staff not to log on to the managers PC :-)

"solyst" <solyst@discussions.microsoft.com> wrote in message
news:9C5CC6D5-9A3D-475A-A1FB-1F1AFDD0CAB4@microsoft.com...
>I am looking for an easy way to prevent a valid domain user account from
> accessing certain pc's on our domain. Can this be done from Group
> Policies
> in AD. I have serveal department managers that don't want their staff to
> user
> their pc.
> Thanks for any suggestions
Anonymous
February 24, 2005 12:52:49 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Another way is to remove the Domain Users group from the local Users group
and remove the Domain Admins from the local Administrators group. By
default, the Remote Desktop Users group is empty.

Add the manager's domain account (or an appropriate domain group) to the
local Users group.

You probably want to have at least one domain user account (or group) in the
local Administrators group so some one can actually administer the computer.

You can do all of this via Group Policies using the Computer Configuration,
Windows Settings, Restricted Groups, but be aware of the content of KB
article http://support.microsoft.com/?id=810076. Prior to Windows 2000 SP4,
Restricted Groups GPOs could only completely REPLACE the local group
membership.

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"solyst" <solyst@discussions.microsoft.com> wrote in message
news:9C5CC6D5-9A3D-475A-A1FB-1F1AFDD0CAB4@microsoft.com...
>I am looking for an easy way to prevent a valid domain user account from
> accessing certain pc's on our domain. Can this be done from Group
> Policies
> in AD. I have serveal department managers that don't want their staff to
> user
> their pc.
> Thanks for any suggestions
!