Restricting who can login to a system locally

Our company has a bunch of demo room computers that we wanted to limit which accounts had local log in rights on. The solution was surprisingly easy
  •  Login to the machine as an administrator
  • Remove the "<domain name>\Domain Users" from all local groups on the computer (it is default in the "Users" group).
  • Remove any other users from all local groups on the machine that should not have access.
  • Add the domain accounts of the users you want to be able to log on in one of the local groups ("Users", "Power Users, or "Administrators" ).
  • Make sure you leave Domain Administrators in the Administrators group.

Now only the accounts you added will be able to logon to the computer. All other accounts will get a message stating “The local policy of this system does not permit you to logon interactively.”

This of course will not prevent the accounts that do have access from adding more accounts if they have administrative access.

No comments:

Post a Comment