Allow AD users in a specific group to logon only on specified computers

windows-server-2008 login active-directory domain

Get the properties of their user account in Active Directory Users & Computers. Click on the Account tab. Click on the Log On To... button. Click on The Following Computers and then click Add and to add as many computers as you wish them to be able to connect to. Click OK to save the change. Works great.


I would do this with a group policy. It's much more scalable than the solution icky2000 suggested.

You would set a policy that denies local login to every machine (Computer Settings -> Security Settings -> Local Rights Assignment -> Deny Logon Locally)

Then set a higher precedence policy that removes the group from the above policy, this can be done with security filtering, or via different OU's for the restricted and non restricted computers. My personal preference would be for the Multi-container approach.

Related

Renting Virtual Machines for testing [closed]
Is there a lightweight MTA for Ubuntu 9.10 Desktop? [closed]
KVM switch with VNC server [closed]
Is there a Cisco IOS Virtual Appliance?
How do I automatically start supervisor on boot in FreeBSD?
rsync with list of files as variables
How to shutdown/restart from the command line without elevation?
How to run audio from a batch file in the background? [closed]
How to Search for an Exact Phrase in Outlook 365 Online Archive?
Super slow pc startup and continues freezing
Slow HDD test results: Symptom of slow PC or the cause?
Linux: How can I duplicate my desktop and show it side-by-side on a single screen? (pics)