Windows XP: Lockout users

[StarsFan4Life]

I was wondering if it is possible for me to lockout users on a Windows XP machine that is on the domain, allowing only 1 person with a domain account to login instead of anyone with a domain account to login.

 

[dragontales]

It's quite simple. Go to the AD and locked their account.

 

[bigdogchris]

Go to the computer manager, users. In the account options thre is a check box to disable account.

 

[Gambit]

I don't think that's what he's asking. I think he's asking how to only allow one person to log into a particular computer, instead of anyone that has a valid login, but still allow anyone to log into other domain computers. You'll need to use group policy, as #6 describes below.

 

[Vermillion]

If I understand you right you want a single person to have access to a computer on a domain and nobody else has access.

Under Groups on the machine in question you would remove the Domain Users name from the list and add just that one person's name. That should keep out anybody that is only a Domain User except for that one person. But remember that the Domain Admins group would still be under the Administrators group so anybody with Admin rights could still log in.

 

[pallesen]

#4 Is right. You should use group policies for this. On the local machine: secpol.msc > user rights > log on locally

 

[Version_3]

If I understand you right you want a single person to have access to a computer on a domain and nobody else has access.

Under Groups on the machine in question you would remove the Domain Users name from the list and add just that one person's name. That should keep out anybody that is only a Domain User except for that one person. But remember that the Domain Admins group would still be under the Administrators group so anybody with Admin rights could still log in.

This is probably the best and easiest way, IMO. I approve this message.

 

[pallesen]

#7 domain users would still be able to log on after that.

 

[Version_3]

#7 domain users would still be able to log on after that.

How would domain users be allowed to log on if the domain users group is not on the computer?

I guess AD fails in that regard. No matter what groups are or are not on the machine, domain users can still log in? Seems like a big security hole.

 

[pallesen]

Why? It is not a requirement to be member of any groups to be able to log on. That is granted elsewhere (in the group policy)

 

[Version_3]

So you're telling me I slap a machine on the domain, and anyone can log into it? I just have to deny it in gpedit?

Question for the OP then: Is group policy something that's domain managed, or local?

 

[pallesen]

As long as "domain users" is a member of "log on locally" under "user rights" then yes, they can log on.