deny user from access a pc

[Guest]

I am looking for an easy way to prevent a valid domain user account from
accessing certain pc's on our domain. Can this be done from Group Policies
in AD. I have serveal department managers that don't want their staff to user
their pc.
Thanks for any suggestions

 

[Simon Geary]

The setting you need is under Computer Config > Windows Settings > Security
Settings > Local Policies > User Rights Assignment. Add the required
accounts to the 'Deny Logon locally' bit and apply the GPO to the managers
PCs.

Alternatively, just tell the staff not to log on to the managers PC

 

[Bruce Sanderson]

Another way is to remove the Domain Users group from the local Users group
and remove the Domain Admins from the local Administrators group. By
default, the Remote Desktop Users group is empty.

Add the manager's domain account (or an appropriate domain group) to the
local Users group.

You probably want to have at least one domain user account (or group) in the
local Administrators group so some one can actually administer the computer.

You can do all of this via Group Policies using the Computer Configuration,
Windows Settings, Restricted Groups, but be aware of the content of KB
article http://support.microsoft.com/?id=810076. Prior to Windows 2000 SP4,
Restricted Groups GPOs could only completely REPLACE the local group
membership.