How to restrict use of a pc to one domain user only.

[Backup]

How do I restrict "DOMAIN USER" other than DOMAIN ADMINS from using a
workstation?

Better yet, I am looking for a way to only allow a certain user to use a
workstation where no other user in the domain can use it. Well outside of
domain admin.



Rewording this all: How do i restrict logins to my workstation from any
other user in the domain.

I dont want someone sitting at my desk and using my pc. (note: i am the one
with the domain admin rights)

 

[Miha Pihler [MVP]]

Hi,

You could use Local or Group Policy for this where you specify which users
have "Logon Locally" permission or "Deny Logon Locally".

Be careful with these policies since you can lock yourself out of the
computer/server. E.g. don't put your username in "Logon Locally" and then
put Everyone or Domain Users in "Deny Logon Locally" policy. "Deny Logon
Locally" policy will prevail and you will be locked out.

Policy can be found under:

Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> User Rights Assignment

Log on locally
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/547.mspx

Deny logon locally
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/537.mspx

I hope this helps.

 

[Roger Abell]

If the machine local Users group is still granted the Log on locally
user right and it still has as a member Authenticated Users then
any domain account can log in. You must break this cycle in one
of a few ways. Example, Users contains the intended login account
but not Authenticated Users, and other than Users and Administrators
you do not have grants of the Log on locally user right.

 

[Sandra L Miller]

We have done a very similar thing for one of our student labs. In the
lab, there is a subset of machines that are only to be used by students
taking a certain class. To limit logons to the students taking the
class, we have done the following:

We removed “Users” from the “Log on locally” entry in the Local Policy
of each machine. We put the subset of machines in an OU in Active
Directory, then added groups (staff and special students, e.g.) to the
“Log on locally” entry in the Group Policy for the OU.

We did it this way because the students taking the class will change
from semester to semester, and this way we only have to change the
members of the group and not have to edit the Group Policy each
semester.

How do I restrict "DOMAIN USER" other than DOMAIN ADMINS from using a
workstation?

Better yet, I am looking for a way to only allow a certain user to use a
workstation where no other user in the domain can use it. Well outside of
domain admin.



Rewording this all: How do i restrict logins to my workstation from any
other user in the domain.

I dont want someone sitting at my desk and using my pc. (note: i am the one
with the domain admin rights)

--
Sandra L Miller
Windows System Administrator
Department of Computer Science
University of Arizona

"The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of Arizona."

 

[Guest]

The easiest and most simple way of doing this, is to modify the "Users" group:

Remove:
NT AUTHORITY\Authenticated Users
<domain>\Domain Users

Add:
<domain user account>