Log On - only specific domain users

  • Thread starter Thread starter Christian Goldmann
  • Start date Start date
C

Christian Goldmann

Hello

We have a 2003 domain with AD.
On a special XP Prof Workstation should only 2 specific domainuser be
able to log on.

Vice versa to the usermanager with log-on-policies for a user to
special computers, we want a log-on-policy for a computer with special
users.

What can we do?


Thank you for Your time.

Christian
 
Hi, Christian -

Here's how I'd do it -

Log on as domain user with administrator rights to the
workstation and create a local group for the domain
accounts you want to be able to log on to the machine -
let's call the local group "Authorized Users".

Then set a local policy that denies the right to log on
locally to the "Users" local group but allows
the "Authorized Users" local group access to the
workstation.

If you run the Group Policy Editor (gpedit.msc) you'll
find the policy under Local Computer Policy --> Computer
Configuration --> Windows Settings --> Security Settings -
-> Local Policies --> User Rights Assignment.

My suggestion? Remove Backup Operators, Guest, Power
Users and Users from the policy and add "Authorized
Users". Then only your domain users with administrator
rights and the users you've authorized to log on should
have access to the machine.

hth -
 
allan grossman said:
[...]
Here's how I'd do it -
[...]
Click to expand...


Hello Allan,

thanks a lot for Your answer. It seems to be very helpful.
Does this hint affect only the local log-on on this machine, or can it
deny the domain-log-on for domain-users, too?


kindly regards
Christian
 
allan grossman said:
[...]
Here's how I'd do it -
[...]
Click to expand...


Hello Allan,

thanks a lot for Your answer. It seems to be very helpful.
Does this hint affect only the local log-on on this machine, or can it
deny the domain-log-on for domain-users, too?
Click to expand...


Hello

last friday night i found the time to test it out.
It works fine on a XP Machine and it works fine not only for local
users; it works for domain-users, too.

The policy-name is confusing me, but i ignore it now.

kindly regards
Christian
 
Back
Top