Systems Management Question

Restrict Logon to only select domain users and groups

01/12/2016 2109 views
Does anyone know of a sure way to restrict logon to a certain computer to only certain individuals and groups like Administrators and Domain admins?   I have this one computer that is used by a couple problem users that insist when other people use the computer in their office it gets messed up and they print and use all their toner.   I tried setting Windows security settings via GPO Allow log on locally or Deny Log on Locally and that seems to have no effect on Windows 7.   These are policies found in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.   The Domain Controller is a Server 2012R2.

I have also tried going to the local machine management and in users and groups removing all entries from users besides the two domain user accounts and admin account groups like Domain Admins.  

They previously had a BIOS password but that is easy to bypass and someone has bypassed it a few times before by simply removing the jumper.   A BIOS password is also highly inconvenient to managing the computer effectively.

I would just like to be able to restrict user accounts on that one computer just to shut these people up.
0 Comments   [ + ] Show comments


Community Chosen Answer

on that computer click on start and in the run box enter

secpol.msc and press enter

You can set who can logon to the box here.  remove the current groups and put your domain admin group and the users that need to get to it in there. 

Note: if a domain policy steps on this, create a container that blocks that policy effecting the logon and put the machine in there.
Answered 01/12/2016 by: SMal.tmcc
Red Belt

All Answers


Silly question, but you have applied the policy to the computer object? And you have checked that the policy is applying to the computer itself? And it not being overwritten by another policy?

Check with RSoP on the PC.

I would probably try and do it with a local GPO if possible. You dont want a AD GPO for one object...then again some people do etc.
Answered 01/12/2016 by: rileyz
Red Belt

  • OK I feel like an idiot. Somehow there was no "Authenticated Users" in the Security Filtering of the GPO object.

    How that happened I don't know. Once I added that in the policy seemed to work.
    • Haha, I see the computer made a fool of you, not uncommon. Damn bleeping computers.
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ