Restricting access to a Domain Controller

[David Salery]

I've been searching the knowledge base for an answer to
this question, but all I have found was how to audit for
unauthorized access to a Domain Controller.

Is there any way you can restrict all but certain users
to be able to log on to a Domain Controller or any other
computer for that matter? I was doing a test to see who
could log into what computers and domain controllers on
our network and was not happy with the results. Can
anyone help me on this? If there is more than one way, I
would like to know that as well, if possible. Thank you.

David

 

[Ron Bernier]

You can restrict the user right "Log on Locally" access through Group Policy
or Local Computer Policy ... Run MMC, go into the appropriate Group Policy
and go to Computer Configuration | Windows Settings | Security Settings |
Local Policies | User Rights Assignments | Log on locally ...

Be VERY careful when changing this or the "Access this computer from the
network" policies ... Always be sure you have an administrative-level
account in both of these (or at a minimum Log On Locally) ...