Deny groups from logging into specific computers

[Guest]

I know how to setup individual users so that they can only log into specific
computers, but is there a way to allow/deny GROUPS from logging into
computers?

We need specific groups to have access to a computer, and no one else can
for security reasons. How can I implement the policy to allow them all to
log in at the group level instead of at the individual level? (I can't find
it in GPO)

Thanks

 

[Steven L Umbach]

Configure the security policy user right for logon locally to only contain
the users/group that you want to logon to the computer. Deny logon locally
can also be used but I always prefer to try and not use deny as not having
allow permissions is an implicit deny. Also keep in mind that administrators
are members of the users and everyone groups if you ever use a deny
permission. Deny permissions also overrides allow permissions.

This can be done at the local/domain/Organizational Unit Level. For instance
open Local Security Policy [secpol.msc] and look under security
settings/local policies/user rights to find user rights. Security policy is
a subset of Group Policy/computer configuration so you could also create an
OU with a GPO to assign user rights at the OU level. --- Steve