# Deny user logon to specific computers on a domain



## Timbo343 (May 12, 2005)

Hi

Im new to this site.

Im struggling on restricting specific organisational groups to log on to certain computers on our network. 

Im looking on Group policy and i cant find anything relevant that helps me in anyway..

Might it be worth setting up scripts?

Can anyone help.


----------



## Chevy (Jul 25, 2003)

In the local security policy on each workstation there is an entry called "Log On Locally". Just add the groups you want, and take out those you don't.


----------



## Timbo343 (May 12, 2005)

thanks for the reply.. 

but doing it on every computer will take ages.

Is there any way i can get to do it over Group Policy on the DC through AD??? Its just that there are about 300 computers to configure.


----------



## NoReason (Nov 15, 2004)

how many people we talking? (i'm assuming since your talking GPO that your using 2000 or 2003 A.D.)
you can always go to each user's profile in AD, go to properties, account, and set the "log on to" to specific pc's rather than able to log onto all.


----------



## Timbo343 (May 12, 2005)

ah hah.. cheers mate ray:


been picky now...

what about setting an organisational group to a group of computers to do the same thing??

If that aint possible.. it doesnt matter,, but thanks


----------



## NoReason (Nov 15, 2004)

Glad that worked for you. 
As for the organizational groups and computers question...I'm not sure. I will leave this thread unresolved. Maybe someone else will have an answer for that.


----------



## Timbo343 (May 12, 2005)

Chevy said:


> In the local security policy on each workstation there is an entry called "Log On Locally". Just add the groups you want, and take out those you don't.


Chevy mentioned about log on locally...

This is what im wanting to configure to set a user to access that pc only, and no one else. For example... there are a set of 16 computers in one room, and i want "username" to only access this computer on the domain (no other user name is allowed access to logon on the domain), but still be able to logon to the other 250ish computers we have got. 

Surely there has to be a way to configure this in active directory in group policy. :4-dontkno 

If you see what i mean


----------



## BMR777 (Apr 27, 2005)

Maybe use the "Deny Access this computer from the network" policy under "User Rights Assignment"?

I'm not too familiar with GPEdit, but this may be something to look into.

BMR777


----------



## Timbo343 (May 12, 2005)

Sorry, thats not worked either... 

errrr... now its getting frustrating.. :upset:


----------

