However, now we want the opposite. We want to exclude all
other users from using that particular computer. One
solution is to give access to all users to all the
computers but that one. This will require us to type the
name of hundreds of computers. Is there an easier way to
do this.
It sounds exactly like what you wanted before, and if you
used my solution it's already done.
To limit who can login to the any specific computer, you
make a change to the local computer. You could do this
with a GPO if you want by assigning the restricted
computer to an OU and setting the group changes in a GPO,
but it's probably easier if you just login as local admin.
I'll give a bit of a step-by-step so it might be clearer
what you are doing...
* Login as local admin (domain admin will work too) to the
target computer.
* Right click "My Computer" and "Manage"
* Click Local Users and Groups, then Groups
You are seeing all the local groups in this list. When a
computer is added to the domain, "Users" is populated
with "Domain\Domain Users".
* Remove any domain user groups from "Users" and "Power
Users"
* Add selected user to the local "Users" group
At this point ONLY that one user (and Domain Admins) can
login to the machine. I would not suggest removing any
members from "Administrators" as this will make it hard
for the admins to make changes later.
If you want to make it easier to manage select computers,
add them to their own OU, create a group in that OU with
the members who should have access. Set that group
to "Users" for all comptuers in the OU. Join a new
computer directly to that OU and you _should_ have little
to change
If it's a limited case situation such as an administrators
workstation, then don't bother adding a separate OU for
it. If you need to do this frequently, then I would start
getting into the habbit of placing them in a special OU
for that purpose.
