# Trying to "lock down" Domain Client to single user account



## Mr Davo (Mar 16, 2009)

Hi Everyone,

I am using a Windows 2008 R2 Server to run my works Domain. Within the Domain I have about forty computers. Additionally I have approximately fifty user accounts.

I am now attempting to restrict which user accounts can log onto various client computers (the clients that I want to "lock down" are Windows 7 computers).

In summary lets assume that I have "Bob" & "Jill", and both of these accounts should only be able to log onto one computer. The default behaviour of the Domain is to let either Bob or Jill log onto both computers.

I have scoured the internet for a solution to my challenge; and I have been able to come up with the instructions at this link:

http://systemadministratorrecipes.b...0/restrict-use-of-computer-to-one-domain.html

I am following the second set of instructions, which detail how to achieve the intended outcomes using Group Policy.

However I am getting stuck at the very beginning of the instructions; the issue is that running the "gpmc.msc" command does not produce the same dialog box in Windows Server 2008 R2 as it does in Windows Server 2003!

Expected Dialog (Windows Server 2003) -










Actual Dialog (Windows Server 2008 R2) -










If anybody can shed some light on where I need to go in Windows Server 2008 R2 to achieve the outcomes that I seek it will be greatly appreciated.

Kind Regards,

Davo


----------



## srhoades (May 15, 2003)

From another message board:

"Go into active directory users and computers. Open up the users account and go to the account tab. Click the "log on to" button and specify any computers the user should be able to log in on."


----------



## Mr Davo (Mar 16, 2009)

Hi srhoades,

I have seen this during my "traversing" the internet for a solution. However I would prefer not to take this approach due to high "manual labor" aspect. Not only will this take considerable time for my over 50 accounts, but if I want to change my policy later it will be highly time consuming to do so. I am better served with a new Organisational Unit, and appropriate settings (at the OU level).

Kind Regards,

Davo


----------



## Mr Davo (Mar 16, 2009)

1. Start MMC (Microsoft Management Console) by typing MMC into the Search Box (located on the Start Menu)
2). Click on File
3). Click on Add / Remove Snap In
4). Select the "Group Policy Management Editor"
5). Click on Add
6). Click on Browse
7). Select "Domain Controller.<Your Domain Name>"
8). Click on OK
9). Click on OK
10). Click on Finish
11). Click on OK


----------



## Mr Davo (Mar 16, 2009)

Now that I have the correct Console open I am faced with the challenge of actually understanding what to do. In the screen shot below the "Deny Logon Locally" Policy explains "This security setting determines which users are prevented from logging on at _*the computer*_". However what is "the computer"? I am on a Domain so does setting this policy affect every client, the server, all clients & the server, or nothing at all?


----------



## Mr Davo (Mar 16, 2009)

Hi Everyone,

I have found an effective way of limiting access to XP Computers on my Work's Domain (however I am not sure if this method will work with more recent version of Windows).

1). Click on Start
2). Right click on My Computer
3). Select Manager
4). Select Local Users & Groups (from the left pane)
5). Double click on the Groups folder icon
6). Double click on the Users object
7). Delete all Members of this group -










8). Add the specific account(s) that you would like to have access to the computer -










9). Reboot the computer

Now only the designated User logon account can access the computer (along with members of the Administrators Group of course!). If an account without access rights attempts to logon to the computer the following message will be displayed -










Kind Regards,

Davo


----------

