Restrict users to only certain pc's

[Guest]

Hi

I want to restrict some users so they can only log onto the pc's in their
department.
I know it can be done at each user's properties on the account tab but I was
just wondering if it can be done as a group policy so can add the whole group
at the same time.

Thanks

 

[Tim Springston [MSFT]]

The closest setting's configurable via group policy which would help you
with this would probably be the user rights assignments for
DenySeInteractiveLogonRight, also known as Deny Interactive Logon.

I would be very cautious about deploying this setting via policy though and
test it prior to putting it into production. When placing an explicit deny,
or implicit deny (as a result of explicit allows minus the user which will
not be allowed) it can be very easy to inadvertantly prevent users access.

You could configure the setting below in a policy linked to the OU which the
department's computers are in. The computers will need Read Allow and Apply
Group Policy Allow permissions.

Setting is:

Computer Configuration-->Windows Settings-->Security Settings-->Local
Policies-->User Rights Assignment. The setting is titled "Deny logon
locally", or alternatively "Allow logon locally" if you decide to engineer
this a little differently.

Please repost if you have any remaining questions.

--

Tim Springston
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.