Problem
If you have certain pc`s that have applications on or certain data that you do not want people to see, then you may want to consider blocking users from using these computers. These machines may be for administrators only or maybes machines in the finance department. The best way to do this is via GPO, follow the step by step guide below on how to stop people logging into computers with a GPO.
Resolution
To do this we create a security group that the users who you want to restrict are members of. Then we create a GPO that sets a deny login locally policy.We then apply it to the specific PC`s we want to restrict.
Follow the instructions below.
1) Create a new security group and add the users who you would like to restrict.
2) We then need to create the GPO that will control what PC`s users can login to. First open Group Policy Management and right click on your domain and select ” Create a GPO in this domain, and link it here”
Then call it whatever you like
3) Right click and select the newly created GPO and browse to the following section.
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Deny Logon Locally setting
Then on the right double click “Deny Log on Locally.
4) We then need to put a tick in define this policy and then add the relevant users who we want to restrict. We do this by adding the Security group we created. Once done close that window and go back to the GPM.
5) We then need to set who this GPO is applied to. As we are only enforcing it to certain PCs we need to select the PCs only. As seen below. So select delegation, remove all entries other than domain admin’s and enterprise admin’s, then add the PC`s you would like to restrict….
Select computers only as object types and the pcs you want to restrict
Then give the commuters “read” writes. See the pics below ( click to zoom )
6) Enforce the policy and at a command prompt enter the following.
GPUPDATE /FORCE
This should now restrict the users correctly