Locally restricting user rights for authenticated domain users

[ngagne]

I have a network consisting of W2K Pro machines which log onto a W2K Server (domain controller). I want to prevent users from using someone else's computer.

Take this example:

User X wants to use User Y's computer. He cannot log on locally, however, he can log on to the domain and have access to User X's local files. User X does not want User Y to be able to use his computer at all.

I do not want to restrict access on a file/directory level. I want to prevent User Y from logging on AT ALL.

Any ideas? Nate Gagne
nathan.gagne@verizon.net

Like my post? Let me know it was helpful!

 

[esherm22]

Go to Start -->Administrative tools-->Local Security Policy.

In Local Policies-->User Rights Assignment
You can "Deny logon locally". Click on "Add" and then change where it says "Look in" from the local PC name to the Domain name. Find User "Y" and add him. You can also go to "Log on locally" and add the users you want to be able to log on(and again you would want to make sure to switch it to your domain so you can select the correct user. Remember though, "Deny access will always overide any access permissions"

 

[esherm22]

If you are looking at doing this for the whole domain and not just one user than you are going to want to use a Domain wide policy/Group Policy to accomplish this.