Restricting Administrator Account Logon to Workstation

[Guest]

The Domain Users account can be restricted to logon to selected workstations
instead of any workstations. But when i try to apply this restriction to the
built-in Domain Administrator account, it says, "attribute cannot be changed
on this object".

Can the built-in domain administrator account be restricted to logon to
selected workstations instead of any workstations? How can it be done? If
yes or no, is there any document that explain this which i can refer to?

 

[spr]

The Domain Users account can be restricted to logon to selected
workstations
instead of any workstations. But when i try to apply this restriction to
the
built-in Domain Administrator account, it says, "attribute cannot be
changed
on this object".

Can the built-in domain administrator account be restricted to logon to
selected workstations instead of any workstations? How can it be done?
If
yes or no, is there any document that explain this which i can refer to?

you could use 'passprop'
(everywhere on google)

it makes the local admin account follow the rules of other accounts. i.e. it
can be locked out. then just lock it on the machines you want it done to.

i use passprop on all client machines because it prevents a brute force
against the local admin account.

 

[Guest]

i'm actually refering to the domain level. i'm trying to restrict the
built-in domain administrator account to logon to servers/workstations in a
secured room only, instead of workstations that is accessible by the public,
physically.