Locking a domain pc down for one user

markwombat

markwombat

markwombat

Associate
Joined
26 Mar 2003
Posts
1,194
Location
UK
Hey guys,

Another hopefully quick question about SBS2003

our accounting pc only needs to be accessed by one person, can i lock it so only one domain user can log on?

many thanks
 
Only thing I can think of is if you create a new GPO and do some stuff with restricting desktop / start menu access. Apply it to all users, then create an "undo" policy and apply it to the user who needs to have access.
 
You should be able to do this this with a computer based group policy that limits local logon only to a list of specified users. Then create a new OU, move that computer to that OU and link the GPO to the OU, reboot and test.

If you don't want to create a new OU then use security filtering of the GPO to make sure it only applies to the specified computer.
 
You could try removing the 'Domain Users' global security group from the local 'Users' group on the machine, that should restrict any users from logging on unless they are member of the local 'Administrators' group i.e. 'Domain Admins' (I think).

You could then add the domain user account which you want to allow to logon via this machine into the local Administrators group and that should allow them to logon. It might work, it might not, I can't test it at the moment. I can't see why it shouldn't though.

EDIT - Actually, you don't have to add the domain user into the local Administrators group (I've been drinking), just add the domain user into the local Users group (the one where you would have removed 'Domain Users' from). Should work...
 
Last edited:
Update - Just tested that, seems to work! Although, I would have thought that there'd be an easier way to enable this.
 
Well, you learn something new everyday. It is actually quite simple :D

Put the Computer in question in a new Organization Unit, and apply a new GPO to it.

Edit the following section of the GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon locally

Add Domain Admins, Administrators etc and of course the person you want to be able to logon!

:)
 
Deathwish said:
Well, you learn something new everyday. It is actually quite simple :D

Put the Computer in question in a new Organization Unit, and apply a new GPO to it.

Edit the following section of the GPO:

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow logon locally

Add Domain Admins, Administrators etc and of course the person you want to be able to logon!

:)
Click to expand...

Does that stop users from logging onto the domain, or just locally?
 
You must log in or register to reply here.
Back
Top Bottom