Log on interactively restrictions via GPO

[Oleg Ogurok]

Hi all,

I have an OU with a bunch of users and a computer. I want to allow those
users to login to the computer only, and not the rest of the computers on my
domain. Is there a way to do it via GPO ?
Thanks.

-Oleg.

 

[Steven L Umbach]

Put those users in a group. Then put the computer in an OU and configure the
security policy/local policies/user rights assignment deny logon locally to
be defined with either no entries or one entry such as guest. Then in the
domain level add the group to the deny logon locally user right. --- Steve

 

[Oleg Ogurok]

In the last sentence, did you mean "add the group to the Allow logon
locally" ?
Does that restrict access via Terminal Services too?

-Oleg.

 

[Steven L Umbach]

In a default installation the users group is included in the log on locally
users right. By adding that group to the deny log on locally user right at
the domain level, you effectively stop them from logging on locally to any
machine in the domain since deny overrides the log on locally user right..
Then by changing the setting for deny logon locally at the OU level to have
no users or just an acccount such as the guest account, you effectively
override the domain level deny log on locally setting which will allow them
to log onto the machines in that OU. That is what my thinking was. Terminal
Services in considered a local logon in Windows 2000. Be sure to test out
anything before implementing. --- Steve