Home / server / Questions / 6133
Accepted
Chris Upchurch
Asked: 2009-05-08 20:41:07 +0800 CST

Limiting Active Directory logons on a particular machine

  • 772

My university is switching from a Novell based logon system to Active Directory. One of the 'features' IT is advertising is the ability for any user to log onto any machine. This is fine for computer labs and the like, but for computers in offices and graduate student labs we'd really rather not let any random undergrad walk in and log on. Is there an easy way to limit who can log onto a particular machine using active directory? Most computers are running XP, with a few on Vista.

windows-vista windows-xp active-directory

4 Answers

  1. Best Answer
    • 2

  2. With the way access control works in Windows, you generally want to think about this type of thing from the opposite direction. Instead of by allowing everyone and then trying to lockout a subset of users, you want to instead allow no one by default and let in the subset of users who should be able to use those systems.

    Explicit "Deny" ACLs always take precedence over "Allow" ACLs

    It's also a best practice to always target the various security settings at groups and not at specific users. Even if there's only one user that needs access today, it may not always be that way or the user who needs access could also change.

    • 1
    • Create a Group Policy in the domain.
    • Go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
    • Edit "Allow log on locally" to contain the groups/users you want to be able to log on.
    • Close the GP, and apply it to an OU containing the computers you want to secure.
    • 0

  4. Open the ADUC snap-in (dsa.msc) > Find the User > Open Properties and you can manage settings using the Account tab.

    • 0