limit domain user login to specific group on 2 xp machines

[Patrick]

All,

I am trying to limit domain usage on a couple of computers in a
computer "lab" setting. I would like to have a specific domain group
(group x) login to two student machines in this lab setting. This group
(other than admins) should be the only people to be able to do this.

I have tried a fix I read about in another posting that had me deleting
the "domain users account under the "users" group in "groups" from
managing "local users and groups" in the "computer management" console,
and replacing with the specific user(s) from the domain, it did not
work, and I am not sure why (I even deleted all exisiting domain
profiles).

Any Ideas?

Thanks in advance,

-Patrick Montag

 

[rwh]

Try setting the local security policy setting
Local Policies-User Rights Assignments-Log on Locally
set this to the AD group/groups you created.

 

[Bruce Sanderson]

By default, members of the local groups, Administrators, Backup Operators,
Power Users, Users and Guest (if its enabled) can logon locally. Perhaps
the users you don't want to be able to logon locally are members of another
of these groups besides Users.

You can control who can logon locally using the Group Policy settings in
Computer Configuration
Windows Settings
Security Settings
Local Policies
User Rights Assignment
Allow log on locally
and
Deny log on locally

Remember that "deny" supercedes "allow", so if a particular user gets both
Allow and Deny (e.g. by being members of several groups), they won't be able
to log on locally.