locked
How to a computer just can log on one user ? RRS feed

  • Question

  • I have a system network . On the server I have installed Window Server 2k8 R2 Enterprise and 40 client

    I have configured upgrade Domain and the clients joined it.

    I created 40 user domain account. So, How to on the server I can configured one computer just can log on one user acccount.

    Example: Computer 1: just can logon User 1 and other user account can't login on this computer

    Help me. 

    Wednesday, January 21, 2015 6:38 AM

Answers

  • Hi Trandao,

    There is a very easy way if you are okay with just the opposite.(Each user, logins to only selected PC)

    You can restrict user accounts to log onto specific computers using 'Log on to' on Account Tab of ADUC.

    Please note it has a limitation on the no. of computers to be listed.

    Some applications such as Exchange OWA, requires you to mention the servernames(CAS,AD,VPN) too for them to work properly for the user account.

    Screenshot below:

    References:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d31ef856-d3d4-44d3-b52d-4b07fdaf772e/restricting-user-accounts-to-log-onto-specific-computers-using-log-on-to?forum=winserverDS


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Amy Wang_ Tuesday, February 3, 2015 12:09 PM
    Wednesday, January 21, 2015 7:18 AM
  • Hi Trandao,

    You can use GPO on PC level or domain for explicity define who can login using 'Allow Log on Locally'.

    This could be used if you have groups of computers with common set of users.(Used by Domain controllers to restrict users local logins)

    1*For you scenario, this could be used, but not recommended as it would require individual 40 GPOs for each computer as you requirement is 1-1 (Computer 1:  can allow logon of User1 only and other user accounts can't logon this conputer)

    2*If your requirement doesnt have this then the Log-on-To method is best.

    (Other users can't logon to this computer, but should be able to login all other computers)

    3*Or If you actually want this, Log-on-To method is best.

    (One user should be able to login to one computer only; its where user can login and not what computer allows)

    Edit the GPO:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Allow Log on locally

    Determines which users can log on to the computer.

    If Not Defined (Default):

    • On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
    • On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.

    You might also want to use Deny Logon Locally too if you have specific requirements(NOTE:Deny overwrites Allow)


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Amy Wang_ Tuesday, February 3, 2015 12:09 PM
    Wednesday, January 21, 2015 7:45 AM

All replies

  • Hello Everyone

    I have a system network . On the server I have installed Window Server 2k8 R2 Enterprise and 40 client

    I have configured upgrade Domain and the clients joined it.

    I created 40 user domain account. So, How to on the server I can configured one computer just can log on one user acccount.

    Example: Computer 1: just can logon User 1 and other user account can't login on this conputer

    Help me.

    • Merged by Amy Wang_ Thursday, January 22, 2015 7:03 AM Duplicate
    Wednesday, January 21, 2015 6:40 AM
  • Hi Trandao,

    There is a very easy way if you are okay with just the opposite.(Each user, logins to only selected PC)

    You can restrict user accounts to log onto specific computers using 'Log on to' on Account Tab of ADUC.

    Please note it has a limitation on the no. of computers to be listed.

    Some applications such as Exchange OWA, requires you to mention the servernames(CAS,AD,VPN) too for them to work properly for the user account.

    Screenshot below:

    References:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d31ef856-d3d4-44d3-b52d-4b07fdaf772e/restricting-user-accounts-to-log-onto-specific-computers-using-log-on-to?forum=winserverDS


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Amy Wang_ Tuesday, February 3, 2015 12:09 PM
    Wednesday, January 21, 2015 7:18 AM
  • Hi Trandao,

    You can use GPO on PC level or domain for explicity define who can login using 'Allow Log on Locally'.

    This could be used if you have groups of computers with common set of users.(Used by Domain controllers to restrict users local logins)

    1*For you scenario, this could be used, but not recommended as it would require individual 40 GPOs for each computer as you requirement is 1-1 (Computer 1:  can allow logon of User1 only and other user accounts can't logon this conputer)

    2*If your requirement doesnt have this then the Log-on-To method is best.

    (Other users can't logon to this computer, but should be able to login all other computers)

    3*Or If you actually want this, Log-on-To method is best.

    (One user should be able to login to one computer only; its where user can login and not what computer allows)

    Edit the GPO:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

    Allow Log on locally

    Determines which users can log on to the computer.

    If Not Defined (Default):

    • On workstations and servers: Administrators, Backup Operators, Power Users, Users, and Guest.
    • On domain controllers: Account Operators, Administrators, Backup Operators, and Print Operators.

    You might also want to use Deny Logon Locally too if you have specific requirements(NOTE:Deny overwrites Allow)


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    • Marked as answer by Amy Wang_ Tuesday, February 3, 2015 12:09 PM
    Wednesday, January 21, 2015 7:45 AM
  • Hi,

    Use AD Users and Computers MMC go to each user properties and on the "Account" tab select "Log on To.." button and fill in the computer accounts for which you want the user to be allowed to login. Anything else is notm in the list will prevent user from logging in. You can use scripts to automate this change for multiple users.

    Hope it helps.

    Regards,

    Calin

    Wednesday, January 21, 2015 8:14 AM
  • Thank you. It is very useful to me

    I can ask one more question. With your solution I can prevent other user account logon but Admin doamin account is not.

    If Admin domain account can logon, I think client will find a way to crack admin's password

    So, how to prevent Admin domain account logon in the client's computer 

    Thursday, January 22, 2015 1:04 AM
  • Thank you. It is very useful to me

    I can ask one more question. With your solution I can prevent other user account logon but Admin doamin account is not.

    If Admin domain account can logon, I think client will find a way to crack admin's password

    So, how to prevent Admin domain account logon in the client's computer 
    Thursday, January 22, 2015 1:06 AM
  • Thank you. It is very useful to me

    I can ask one more question. With your solution I can prevent other user account logon but Admin doamin account is not.

    If Admin domain account can logon, I think client will find a way to crack admin's password

    So, how to prevent Admin domain account logon in the client's computer
    • Edited by trandao112 Thursday, January 22, 2015 3:19 AM
    Thursday, January 22, 2015 3:14 AM
  • Hi,

    I believe that is valid for Admin account as well. And it would be very hard to crack a password if that one complies with some policies (complexity enforced, lenght,etc). Admins are suppose to be trusted persons that manage the infrastructure. In other words you would need to have some rules in palce and security policies and enforce those.

    Regards,

    Calin

    Thursday, January 22, 2015 3:20 PM