Restrict logon to certain workstation

M

Marka2k

What is the best method to restrict users ability from being able to log in
to another workstation (WIN2k Pro) other then their assigned machine?
Is there an article?

Thank you
 
M

Matthew Swanson

Marka2k said:
What is the best method to restrict users ability from being able to log in
to another workstation (WIN2k Pro) other then their assigned machine?
Is there an article?

Thank you

One idea is to edit user accounts (AD Users and Computers -- Right-click
user -- Properties -- Account tab) and use the Log On To button to specify
the workstation the user can logon to. I believe this requires NetBIOS over
TCP/IP to be enabled in your environment in order to work. The default for
W2K and XP systems is to have it enabled so you don't have to worry about it
unless you've modified that setting on your servers/hosts. I'm sure there's
a way to use ADSI to modify the user properties if you have a lot of user
accounts and want to script it out.

Another option is to modify the "allow logon locally" user right on the
computers. This can be manipulated via local or non-local GPO. Local GPOs
are a pain to administer, but I'm not sure you'll be able to get as granular
as you need to with a non-local GPO. Usually this setting is best for
specifying/denying groups rather than individual user accounts.

Hopefully these ideas will help you get started.


matt
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top