Microsoft Logo

Stop users logging into certain PC`s -with a GPO

Problem

If you have certain pc`s that have applications on or certain data that you do not want people to see, then you may want to consider blocking users from using these computers.  These machines may be for administrators only or maybes machines in the finance department. The best way to do this is via GPO, follow the step by step guide below on how to stop people logging into computers with a GPO.

 

Resolution

To do this we create a security group that the users who you want to restrict are members of. Then we create a GPO that sets a deny login locally policy.We then apply it to the specific PC`s we want to restrict.

Follow the instructions below.

1) Create a new security group and add the users who you would like to restrict.

Stop users logging into certain PC`s

Stop users logging into certain PC`s

2) We then need to create the GPO that will control what PC`s users can login to. First open Group Policy Management and right click on your domain and select ” Create a GPO in this domain, and link it here”

GPO to users loggin onto pc

GPO to users loggin onto pc

Then call it whatever you like

Ban Users From Logging Onto A PC

Ban Users From Logging Onto A PC

3) Right click and select the newly created GPO and browse to the following section.

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon Locally setting

Stop User Loggin Onto PC

Stop User Loggin Onto PC

Then on the right double click “Deny Log on Locally.

Deny Log On To PC

Deny Log On To PC

4) We then need to put a tick in define this policy and then add the relevant users who we want to restrict. We do this by adding the Security group we created. Once done close that window and go back to the GPM.

Deny Log On To PC

Deny Log On To PC

5) We then need to set who this GPO is applied to. As we are only enforcing it to certain PCs we need to select the PCs only. As seen below. So select delegation, remove all entries other than domain admin’s and enterprise admin’s, then add the PC`s you would like to restrict….

Select computers only as object types and the pcs you want to restrict

Reistrict logon to a pc

Reistrict logon to a pc

Then give the commuters “read” writes. See the pics below ( click to zoom )

Reistrict logon to a pc

Reistrict logon to a pc

6) Enforce the policy and at a command prompt enter the following.

GPUPDATE /FORCE

This should now restrict the users correctly

Tags: Group Policy

Allen White

Allen is a Consultant for ITPS in the North East of England and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5 and HP ASE, AIS - Network Infrastructure.

Comments (1)

  • Avatar

    luke

    |

    does this “allow log on locally” restrict a users domain logon? i need to allow only one domain user and admins to log onto a machine, i don’t want any other domain users to be able to log onto said machine. will this work for that? thanks, -Luke
    i am running server 2008 r2 stnd and the workstations are 7pro

    Reply

Leave a comment

Categories

Vote!

What Web Browser Do You Use?

View Results

Loading ... Loading ...

Vote!

What do you prefer..VMware or Hyper-V?

View Results

Loading ... Loading ...