Howdy!
I have a need to lock down a computer (XP Pro) so that only the Domain Admins
group can log into it. I'm sure this is a group policy item, but I'm having
brain fade trying to figure out how to implement this.
If it's only one machine: Go to the machine, log on as administrator,
start "gpedit.msc" and navigate to the following settings:
"CompConf\Windows Settings\Security Settings\Local Policies\User Rights
Assignment" - and there are two settings called "Log on locally" and
"Deny logon locally". I recommend that you configure "Log on locally" as
you wish and wipe out all users and groups that shall not be able to log
onto the machine. Be careful that you do not lockout yourself ;-) The
follwing article provides more information on this:
http://support.microsoft.com/kb/823659
In order to get this done I'd like to remember you of the Remote Desktop
that you might want to disable as well in order to prevent users from
logging on and using the machine.
cheers,
Florian
