question on domain local machine permissions

[Guest]

What do I need to do to allow only certain users to login to a domain on a
certain computer? Say for example that they don't have a machine login but
they have a domain account and I want to limit the number of people who can
login to the domain on the machine to a certain group in the domain. Also,
when a domain user logs into the computer, how can i limit/prohibit their
access to the profile folders of other users (under documents and settings).
For example, a regular domain user logged into the domain but was still able
to go into the "desktop" and "my documents" of everyone of the profiles that
logged into that computer as if that user was an administator.

 

[Steven L Umbach]

First off you can't really limit a local administrator if they have the
knowledge and determination to do what they want. Having said that remove
administrator and administrators from the permission lists in the folder
properties/security of the user profiles and if you want replace it with one
other administrator on the computer [a user/group you create which could
also be a domain user] that only authorized personnel know the password to
if you have that need.

To manage who can logon to a domain computer open Local Security Policy
[secpol.msc] and populate the user right for logon locally to include only
the users/groups you want to logon to that computer and remove
everyone/users/authenticated users/domain users if present.


"question on links where info is added an"