Restrict User Logon to Specific Computers

by Robert Allen

In this article, you will learn how to restrict a user’s logon to specific computers.

There are multiple ways to limit which computers a user can log on to, I’ll show you multiple examples and which policy settings to use.

In this article:

How User Logon Restrictions work

By default, a domain user can logon to all domain computers. You can manage which users a computer can logon to with the following settings:

  1. The local computers policy (Using Group Policy or Local Policy Editor)
    • Allow Log On Locally
    • Deny Log on Locally
  2. The Active Directory Users Log On to settings

The local computers policy

Each computer has its own Local Computer Policy that is used to control various security settings such as allow or deny local logon.

When a user is added to Active Directory, they are automatically added to the Domain Users group. The Domain Users group is automatically added to the local users group on workstations when they are joined to Active Directory. Here is a breakdown of the process.

  1. A user is added to Active Directory.
  2. The user by default is added to the Domain Users group.
  3. The domain computer has a local group called “Users”. By default the Domain Users group is a member of this group.
  4. Each computer has a local policy called “Allow log on locally”. This policy determines which users can log on to the computer. By default it contains the follow users and groups.
    • Administrators
    • Backup Operators
    • Guest
    • Users (Which contains the Domain Users group).
user logon policy diagram

The Active Directory User Log On to

Each user account in Active Directory has a userWorkstations property that controls which computers the account can log on to. By default, it is set to all computers.

You can view this setting by clicking the account tab and clicking the Log On To button.

log on to field in active directory
logon workstations

Now that you know how users are allowed to log on to all computers, lets look at some ways to limit a users logon.

Example 1. Restrict user logon to a specific computer

In this example, I want to limit the user Albert Atkins to only have rights to logon to a specific computer (PC1). The best option for this is to use the Log On To settings in Active Directory Users and Computers.

Step 1. Open the user account in Active Directory Users and Computers.

Step 2. Click the Account Tab and then Log on To.

user account log on to

Step 3. Enter the computer name in the field and click AD and then OK. You can add more than one computer.

add computer to logon workstations

All Done.

Now when the user tries to logon to any computer besides PC1 they will be denied.

your account is configured to prevent you from using this pc

This method is easy when you need to limit a small group of computers. If you need to edit a large group of users then check out the next example.

Example 2. Bulk Edit Log on To field in Active Directory

In this example, I want to modify the Log On To field for 100 users. Unfortunately this is very limited with ADUC, to make this easier I’ll use the AD Pro Toolkit.

Step 1. Create a CSV file with two columns

  • ID = This is used to identify the accounts
  • userWorkstations = the computers you want to limit an account to log on to.

Step 2. Modify CSV file

You can enter multiple computers by separating with a comma.

Step 3. Run Bulk User Updater Tool

From the AD Pro Toolkit (Click on User Management > Bulk User Modification)

Next, select your csv template and click run.

update userworkstations attribute

All done. I just modified the log on to field for 100 users in just a few clicks of the mouse.

add multiple computers to logon to field

Example 3. Restrict User Logon to Specific Computer with Group Policy

In this example, I have a group of users that I want to prevent from logging on to a group of computers, such as all the accounting department computers. For this, I’ll use group policy to modify the Deny log on locally policy.

Step 1. Create an Active Directory group. I’ve named my group “Deny Logon Accounting Computers”. Then add the users you want to deny logon for.

active directory group deny logon

Step 2. Open Group Policy Management Console

Step 3. Create a new GPO and edit the following policy setting.

Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment

user rights assignment in group policy

Step 4. Open the Deny log on locally policy and add the group you created from step 1.

deny logon on locally gpo policy

Click OK to save and close the policy.

Step 5. Link the GPO to an OU

Now link the GPO to a group of computers in Active Directory. This can be an existing OU or you may need to create a new one. I linked this GPO to my Accounting OU.

deny logon accounting computers

Step 6. Wait for GPO to refresh and test the deny logon policy.

When a user tries to logon that is a member of the Deny Logon Accounting Computers group they will be denied.

the sign in method isn't allowed

To verify the settings you can open the local group policy editor on one of the computers that has the GPO applied. Look at the deny log on locally setting and it should have your AD group configured.

deny log on locally to ad group

Example 4. Limit computers logon to specific users

In this example, I want to limit who can logon to a group of computers. So instead of allowing everyone and blocking specific users I want to do the reverse of this (block everyone and allow specific users). This is useful for kiosk or a lab environment where you need to limit who is authorized to logon.

These steps are very similar to example 2 except this one uses the allow logon policy.

Step 1. Open Group Policy Management Console

Step 2. Create a new GPO and edit the following policy setting.

Computer Configuration > Policies > Window Settings > Security Settings > Local Policies > User Rights Assignment

Step 3. Edit the Allow log on locally policy. You can add users or groups to the policy.

Warning: You will want to add your administrator accounts to this policy or they will be denied logon. To be clear the only accounts that will have permissions to logon will be the ones list in this policy.

add users to allow log on locally policy

Step 4. Now link the GPO to an OU that you want this policy to apply to. For example, I’m linking this to my Student Lab OU. This will limit the logons to all of these computers.

link gpo to ou

Step 5. Wait for GPO policy to refresh and test the results.

Conclusion

In this article, I showed you a few way to limit which computers a user can logon to. Make sure you test these policies before rolling them out to production users and computers, a wrong setting could block all users from logging on.

If I missed a scenario please let me know in the comments and I’ll add it to the article.

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

Leave a Comment