< -- BuySellAds Ad Code ALLEN -->
Techieshelp Home Techieshelp Home
Microsoft Logo

Stop users logging into certain PC`s -with a GPO

Written by Allen White on . Posted in SBS2008/2011, Server 2003, Server 2008

Problem

If you have certain pc`s that have applications on or certain data that you do not want people to see, then you may want to consider blocking users from using these computers.  These machines may be for administrators only or maybes machines in the finance department. The best way to do this is via GPO, follow the step by step guide below on how to stop people logging into computers with a GPO.

 

Resolution

To do this we create a security group that the users who you want to restrict are members of. Then we create a GPO that sets a deny login locally policy.We then apply it to the specific PC`s we want to restrict.

Follow the instructions below.

1) Create a new security group and add the users who you would like to restrict.

Stop users logging into certain PC`s

Stop users logging into certain PC`s

2) We then need to create the GPO that will control what PC`s users can login to. First open Group Policy Management and right click on your domain and select ” Create a GPO in this domain, and link it here”

GPO to users loggin onto pc

GPO to users loggin onto pc

Then call it whatever you like

Ban Users From Logging Onto A PC

Ban Users From Logging Onto A PC

3) Right click and select the newly created GPO and browse to the following section.

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon Locally setting

Stop User Loggin Onto PC

Stop User Loggin Onto PC

Then on the right double click “Deny Log on Locally.

Deny Log On To PC

Deny Log On To PC

4) We then need to put a tick in define this policy and then add the relevant users who we want to restrict. We do this by adding the Security group we created. Once done close that window and go back to the GPM.

Deny Log On To PC

Deny Log On To PC

5) We then need to set who this GPO is applied to. As we are only enforcing it to certain PCs we need to select the PCs only. As seen below. So select delegation, remove all entries other than domain admin’s and enterprise admin’s, then add the PC`s you would like to restrict….

Select computers only as object types and the pcs you want to restrict

Reistrict logon to a pc

Reistrict logon to a pc

Then give the commuters “read” writes. See the pics below ( click to zoom )

Reistrict logon to a pc

Reistrict logon to a pc

6) Enforce the policy and at a command prompt enter the following.

GPUPDATE /FORCE

This should now restrict the users correctly

Tags: Group Policy

Allen White

Allen is an IT Consultant and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5, 6 and HP ASE, AIS - Network Infrastructure.

Comments (1)

  • Avatar

    luke

    |

    does this “allow log on locally” restrict a users domain logon? i need to allow only one domain user and admins to log onto a machine, i don’t want any other domain users to be able to log onto said machine. will this work for that? thanks, -Luke
    i am running server 2008 r2 stnd and the workstations are 7pro

    Reply

Leave a comment

Categories

Search

Vote!

What Web Browser Do You Use?

View Results

Loading ... Loading ...

Vote!

What do you prefer..VMware or Hyper-V?

View Results

Loading ... Loading ...

Read Me



Read Me

  • Create a User and Mailbox in Powershell

    Create a User and Mailbox in Powershell

    A guide on how to create a user in powershell and how to create a mailbox in powershell step by step

    Read more

  • SBS2011 Migration,Incorrect Username, Password Or Domain Incorrect

    SBS2011 Migration,Incorrect Username, Password Or Domain Incorrect

    When you are migrating to SBS2011 using an answer file. The migration says incorrect username or password. Here is how to fix.

    Read more

  • Integrating Nintex and Box CMS using Open API

    Integrating Nintex and Box CMS using Open API

    How to integrate Box.com CMS with Nintex using API to manipulate files and folders using automation.

    Read more

  • Start Windows Installer service in safemode

    Start Windows Installer service in safemode

    Start Windows Installer service in safe mode with this easy tutorial.How to Start The Windows Installer service in safemode as the services required are not started in safemode by default.

    Read more

  • Exchange 2013/2016 – Allow a server to relay email

    Exchange 2013/2016 – Allow a server to relay email

    A step by step guide on how to setup Exchange 2013 and Exchange 2016 to allow external or internal servers to relay email though by creating a dedicated receive connector.

    Read more

  • Create A Catch All Mailbox In Exchange 2013/2016

    Create A Catch All Mailbox In Exchange 2013/2016

    How to ceate a rule that catches all email sent to Exchange that is sent to mispelled users or sent to users that do not exist in your email organization.

    Read more