Techieshelp.com

Stop users logging into certain PC`s -with a GPO

Microsoft Logo

IT Tutorials

Problem

If you have certain pc`s that have applications on or certain data that you do not want people to see, then you may want to consider blocking users from using these computers.  These machines may be for administrators only or maybes machines in the finance department. The best way to do this is via GPO, follow the step by step guide below on how to stop people logging into computers with a GPO.

 

Resolution

To do this we create a security group that the users who you want to restrict are members of. Then we create a GPO that sets a deny login locally policy.We then apply it to the specific PC`s we want to restrict.

Follow the instructions below.

1) Create a new security group and add the users who you would like to restrict.

Stop users logging into certain PC`s

2) We then need to create the GPO that will control what PC`s users can login to. First open Group Policy Management and right click on your domain and select ” Create a GPO in this domain, and link it here”

GPO to users loggin onto pc

Then call it whatever you like

Ban Users From Logging Onto A PC

3) Right click and select the newly created GPO and browse to the following section.

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon Locally setting

Stop User Loggin Onto PC

Then on the right double click “Deny Log on Locally.

Deny Log On To PC

4) We then need to put a tick in define this policy and then add the relevant users who we want to restrict. We do this by adding the Security group we created. Once done close that window and go back to the GPM.

Deny Log On To PC

5) We then need to set who this GPO is applied to. As we are only enforcing it to certain PCs we need to select the PCs only. As seen below. So select delegation, remove all entries other than domain admin’s and enterprise admin’s, then add the PC`s you would like to restrict….

Select computers only as object types and the pcs you want to restrict

Reistrict logon to a pc

Then give the commuters “read” writes. See the pics below ( click to zoom )

Reistrict logon to a pc

6) Enforce the policy and at a command prompt enter the following.

GPUPDATE /FORCE

This should now restrict the users correctly