Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

deny certain user from specific pcs

Status
Not open for further replies.

77zxmax

MIS
Dec 28, 2004
45
CA
Greeting
we have a server with DC , and about 10 windows xp clients:
we have usernames and password created for each client user
and we also have one public username and password eg: username = user and password = user

now lets say i don't want computer #1 to be accessed with that public username and password ..
how would i do that ?

i hope i was clear explaining
thanks in advance
 
Hi there,

In 2003 you can open Active Directory users and computers. Simply right-click the user name in question and go to properties. Choose the account tab and then Log on to command button.

I hope it is the same on 2000.

Regards,

Peter

Remember- It's nice to be important,
but it's important to be nice :)
 
The above would work if you want to specify allowed locations to log on to, which may be a more common rule for a generic account. If you still would rather just deny certain computers, then you would use group policy (either through OU or on local PC). There is a setting under Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment that lists users and groups to "Deny log on locally
 
Deny logon locally only works to deny logon to server. If you created the users in AD you should be able to specify where certains usernames can logon to what machines.

Check out our website
 
so i guess petrosky had the best solution for this ?
 
77zxmax-

It all depends on how you want to manage it. Either way works, it is just a matter of how many machines need to be touched or entered in some list. You asked about deny and that is the way I answered.

If you only want the generic user denied from computer #1 but allowed everywhere else, then you have to list 9 computers in the "Log on to" list. Or you could just go to computer #1 and deny it there. And if you add more computers, then you have to maintain the "Log on to" list.

If you only want the generic login to be used on one or two computers and denied everywhere else, then definitely use the "Log on to" list. Otherwise you would have to keep denying the login on new machines.

I don't know why arsbargains replied the way he did. Deny logon locally is valid for non-server versions of 2000/XP. If you apply it to a group of machines through AD GPO, then those machines will deny that list or group of users. If you apply it locally through gpedit, then it will be valid on the local machine whether it is server or workstation.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top