Prevent a single user (or group) from logging on to a specfic machine in Active Directory

vetteguy

Diamond Member
Sep 12, 2001
3,183
0
0
We have a situation where would like to prevent a specific user from logging on to a specific machine or group of machines. I'm pretty sure there is a way in Active Directory to do this, but I can't find the right policy setting. Does anyone know how? Basically I want to say something like "deny logon access to user user_1 to machines in group2". Thanks!
 

Sideswipe001

Golden Member
May 23, 2003
1,116
0
0
What you'll need to do is to apply a group policy to the computer that you want to deny access to. The settings that you'll want to edit is found under:

Computer configuration-->windows settings-->security settings-->local policies-->User Rights Assignment.

Look for "Deny logon locally" and add the user in question. Make sure this policy is ONLY attached to the computers that you want to deny them from, and not to the entire domain, or else they won't be able to log in anywhere.
 

vetteguy

Diamond Member
Sep 12, 2001
3,183
0
0
Originally posted by: Sideswipe001
What you'll need to do is to apply a group policy to the computer that you want to deny access to. The settings that you'll want to edit is found under:

Computer configuration-->windows settings-->security settings-->local policies-->User Rights Assignment.

Look for "Deny logon locally" and add the user in question. Make sure this policy is ONLY attached to the computers that you want to deny them from, and not to the entire domain, or else they won't be able to log in anywhere.
Cool..thanks, I will check that out!