none
Restrict user logon one computer on the domain

    Question

  • I have one computer with Windows7 that I need to restrict user logon to just two domain users.  Since it is for only one domain computer, is there a way to restrict the user logon locally on that computer rather than through AD?

    Thank you.


    DDaleS

    Wednesday, March 2, 2016 8:47 PM

Answers

  • Hi DDaleS,

     

    Does Deny take precedence over Allow? 

    Yes, I had a test and turn out same with you. The Deny log on locally policy setting supersedes the Allow log on locally policy setting if a user account is subject to both policies.

    https://technet.microsoft.com/en-us/library/dn221948.aspx

     

    I already have a test, we could create a group which contains all users you want to deny, then deny them through adding this group to Deny log on locally policy.

     

    Best regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, March 11, 2016 7:40 AM
    Moderator

All replies

  • Hi,

    you could use secpol.msc and restrict the "Allow logon locally"...

    Regards

    Eric


    Microsoft MVP Cloud and Datacenter Management
    Microsoft Partner Technical Solutions Professional (P-TSP)
    --
    www.ericberg.de
    @ericberg_de
    --
    MCSE: Enterprise Devices and Apps | MCSE: Private Cloud | MCSE: Server Infrastructure | MCSE: Desktop Infrastructure

    Wednesday, March 2, 2016 9:04 PM
  • Eric,

    I already tried that in Local Policies\User Rights Assignment\Log On Locally.  Removed "Users" and added myself.  I am still able to log on as the user I don't want to log on.  Is Group Policy overriding the local policy?

    Thank you.


    DDaleS

    Wednesday, March 2, 2016 9:20 PM
  • this is possible..

    so run a gpresult to see what is Happening.

    Regards

    Eric


    Microsoft MVP Cloud and Datacenter Management
    Microsoft Partner Technical Solutions Professional (P-TSP)
    --
    www.ericberg.de
    @ericberg_de
    --
    MCSE: Enterprise Devices and Apps | MCSE: Private Cloud | MCSE: Server Infrastructure | MCSE: Desktop Infrastructure

    Wednesday, March 2, 2016 9:25 PM
  • Hi DDaleS,

    I have a test on my local computer, we could prevent specific user logon via Group Policy.

    (add the user you don't want to log on to  Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment  Deny logon locally).

     

    If it is not worked for you, it is possible that the local policy were overridden. We could refer to Eric’s suggestion to have a test.

    Best regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.


    Thursday, March 3, 2016 2:30 PM
    Moderator
  • Yes, Group Policy overrides  local policy:

    The local GPO is processed first, and GPOs that are linked to the organizational unit of which the computer or user is a direct member are processed last, which overwrites settings in the earlier GPOs if there are conflicts.

    https://technet.microsoft.com/sv-se/library/cc785665(v=ws.10).aspx


    Best regards George

    Thursday, March 3, 2016 2:38 PM
  • Why do you want to do that? Lockdown users? They will always find a way around!
    Better is to educate users, tell them why your system is like it is, the purpose and the reason!
    Prohibition never works!

    Best regards George

    Thursday, March 3, 2016 4:05 PM
  • I understand about educating but very difficult to enforce at this location.

    Group Policy works, but in this situation I want to limit the users to two on this particular computer.  To keep the others out, do I not have to add the restricted users to Deny Log on locally?  Which in this case is the whole company other than two users and administrators.  If so what would be the best way to do this without adding groups, users, etc.?

    Thank you.


    DDaleS

    Friday, March 4, 2016 3:21 PM
  • Hi DDaleS,

    Since Deny Log on locally policy works for you,  the Allow Log On Locally policy should work as well.
    According to my test, the administrator group cannot be removed from Allow Log On Locally policy and added in Deny Log on locally policy.
    Maybe that is why you are still able to log on as the user you don't want to log on at first time, if the user is still a Member of the Administrators group.
    Based on your situation,  we could consider using those two policy toghter.

    I would like to build a domain environment to have a test, and will let you know as soon as I get results.

    Best regards.

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, March 9, 2016 3:43 PM
    Moderator
  • Hi,

    The domain group policy is overriding the local policy.  I ran RSOP to verify and have a look.  So it looks like I will have to do everything through the GPO.  Do you have to add users to both Deny and Allow?  Does Deny take precedence over Allow?  I added the users I wanted to have access to Allow, but when Deny is configured, no one can log on.  That is why I was asking about the best was to exclude everyone in the company besides the two users and Administrators.

    Thanks for looking into it.


    DDaleS

    Wednesday, March 9, 2016 4:26 PM
  • Hi DDaleS,

     

    Does Deny take precedence over Allow? 

    Yes, I had a test and turn out same with you. The Deny log on locally policy setting supersedes the Allow log on locally policy setting if a user account is subject to both policies.

    https://technet.microsoft.com/en-us/library/dn221948.aspx

     

    I already have a test, we could create a group which contains all users you want to deny, then deny them through adding this group to Deny log on locally policy.

     

    Best regards.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, March 11, 2016 7:40 AM
    Moderator
  • Thanks to all that replied.  I understand what I need to do.


    DDaleS

    Monday, March 14, 2016 2:41 PM