How to restrict use of a computer to one domain user only

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Author:
Yuval Sinay MVP
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
SYMPTOMS
When you create trust connection/s from one domain to another or/and one forest to another, users have option to logon to
different domain/s than their home domain (The domain that host there account/s).
 
CAUSE
Trust connection/s from one domain to another or/and one forest to another enable user to logon to logon to
different domain/s than their  home domain (The domain that host there account/s).
The "Authenticated Users" group on each computer allow users from trusted domain to be authenticate
and logon to computer.
RESOLUTION
 
Option A: Domain Wide Policy
 
 
By using group policy capabilities in Windows 2000/2003 Domain, you can prevent from user/s
to logon to different domain/s than their home domain (The domain that host there account/s).
 
 
1. In the target domain create a new domain wide GPO and enable "Deny logon locally" user right
     to the source domain user account/s.
 
Note: Some services (Like Backup software services) may effect by this policy, and wouldn’t function.
         To eliminate future problems, apply this policy and use GPO security filter feather.
 
Deny logon locally
 

 
Filter using security groups
 

 
 
2. Run on "Gpupdate /force" on the domain controller.
 
 
Option B: Remove "NT AUTHORITY\Authenticated Users" uses from the list of users group
 
 
To eliminate the option to logon to one or few computer, follow the instructions bellow:
 
1. Right click "My Computer" icon on the desktop.
 
2. Choose on "Manage".
 
3. Extract "Local Users and Groups".
 
4. Click on "Groups".
 
5. In the right side of the screen double click on "Users" group.
 
6. Remove: "NTAUTHORITY\Authenticated Users" from the list.
 
7. Add the require user/s or and group/s to the "Users" local group.
 

Option C: Configure "Deny logon locally" user right on the local computer/s
 
 
To eliminate the option to logon to one or few computer, follow the instructions bellow:
 
1. Go to "Start" -> "Run".
 
2. Write "Gpedit.msc"
 
3. Enable "Deny logon locally" user right to the source domain user account/s.
 
Note: Some services (Like Backup software services) may effect by this policy, and wouldn’t function.
        
 
Deny logon locally
 

 
 
3. Run "Gpupdate /force" on the local computer.
 
 
Option D: Use Selective Authentication when use Forest Trust
 
 
Creating Forest Trusts
 

 
 
MORE INFORMATION
 
Log on locally



Group Type and Scope Usage in Windows 

 
Properties

Article ID: 555317 - Last Review: 05/21/2005 09:35:00 - Revision: 1.0

Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows 2000 Enterprise Edition, Microsoft Windows XP Professional, Microsoft Windows XP Media Center Edition 2002

  • kbpubtypecca kbpubmvp kbhowto KB555317
Feedback