< -- BuySellAds Ad Code ALLEN -->
Techieshelp Home Techieshelp Home
Microsoft Logo

Stop users logging into certain PC`s -with a GPO

Written by Allen White on . Posted in SBS2008/2011, Server 2003, Server 2008

Problem

If you have certain pc`s that have applications on or certain data that you do not want people to see, then you may want to consider blocking users from using these computers.  These machines may be for administrators only or maybes machines in the finance department. The best way to do this is via GPO, follow the step by step guide below on how to stop people logging into computers with a GPO.

 

Resolution

To do this we create a security group that the users who you want to restrict are members of. Then we create a GPO that sets a deny login locally policy.We then apply it to the specific PC`s we want to restrict.

Follow the instructions below.

1) Create a new security group and add the users who you would like to restrict.

Stop users logging into certain PC`s

Stop users logging into certain PC`s

2) We then need to create the GPO that will control what PC`s users can login to. First open Group Policy Management and right click on your domain and select ” Create a GPO in this domain, and link it here”

GPO to users loggin onto pc

GPO to users loggin onto pc

Then call it whatever you like

Ban Users From Logging Onto A PC

Ban Users From Logging Onto A PC

3) Right click and select the newly created GPO and browse to the following section.

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon Locally setting

Stop User Loggin Onto PC

Stop User Loggin Onto PC

Then on the right double click “Deny Log on Locally.

Deny Log On To PC

Deny Log On To PC

4) We then need to put a tick in define this policy and then add the relevant users who we want to restrict. We do this by adding the Security group we created. Once done close that window and go back to the GPM.

Deny Log On To PC

Deny Log On To PC

5) We then need to set who this GPO is applied to. As we are only enforcing it to certain PCs we need to select the PCs only. As seen below. So select delegation, remove all entries other than domain admin’s and enterprise admin’s, then add the PC`s you would like to restrict….

Select computers only as object types and the pcs you want to restrict

Reistrict logon to a pc

Reistrict logon to a pc

Then give the commuters “read” writes. See the pics below ( click to zoom )

Reistrict logon to a pc

Reistrict logon to a pc

6) Enforce the policy and at a command prompt enter the following.

GPUPDATE /FORCE

This should now restrict the users correctly

Tags: Group Policy

Allen White

Allen is an IT Consultant and holds the following accreditations. MCSA, MCSE, MCTS, MCITP, CCA, CCSP, VCP 4,5, 6 and HP ASE, AIS - Network Infrastructure.

Comments (1)

  • Avatar

    luke

    |

    does this “allow log on locally” restrict a users domain logon? i need to allow only one domain user and admins to log onto a machine, i don’t want any other domain users to be able to log onto said machine. will this work for that? thanks, -Luke
    i am running server 2008 r2 stnd and the workstations are 7pro

    Reply

Leave a comment

Categories

Search

Vote!

What Web Browser Do You Use?

View Results

Loading ... Loading ...

Vote!

What do you prefer..VMware or Hyper-V?

View Results

Loading ... Loading ...

Read Me



Read Me

  • Office 2013 Error 1920. Service Windows Font Cache Service (FontCache) failed to start

    Office 2013 Error 1920. Service Windows Font Cache Service (FontCache) failed to start

    When trying to intsall office 2013 or upgrade to office 2013 you receive the following error. Error 1920. Service Windows Font Cache Service (FontCache) failed to start

    Read more

  • Connect NFS Storage To VSphere 4 And 5

    How to add and connect NFS storage to vmware.A step by step guide on how to add and connect NFS storage to vmware vsphere 4 and 5.

    Read more

  • How To Put A Virtual Machine In Safemode

    Put a Virtual Machine Into Safemode. A guide on how to setup a virtual machine for to boot into safemode. We need to slowdown the boot section so that we get time to hit the F key.

    Read more

  • Setup Shadow Copies On Server 2008 Guide

    Setup Shadow Copies On Server 2008 Guide

    A guide on how to setup shadow copies on your server 2008 network and allow users to resotre thier own files and folders.Step by step guide to volume shadow copies.

    Read more

  • Add an administrator to Exchange 2010

    Add an administrator to Exchange 2010

    Certain applications require to be administrators of microsoft exchange, the process of adding an administrator to exchange has changed. Follow this guide on how to add an administrator to microsoft exchange 2010

    Read more

  • How to Disable an Outlook Add-in Outlook 2010

    How to Disable an Outlook Add-in Outlook 2010

    When you install application on your pc, a lot of them may install add ons into microsoft outlook. Sometimes you need to disable these. Here is a guide on how to disable microsoft outlook add ons.

    Read more