GPO: how to limit the users able to logon to PC

active-directorygroup-policy

In an active directory domain I'd like to have some PCs assigned to single people.
For example on computer_a, the only people allowed to logon should be person_a plus the various administrators.

One common solution I found is to use the Logon Locally GPO, but this would require creating a new GPO and OU for each computer, as each computer would be assigned to a different user. Is there a better way?

One possible alternative I'm experimenting with is the following:

  • use GPO to remove from the local users group the following accounts: NT AUTHORITY\INTERACTIVE and NT AUTHORITY\Authenticated Users
  • add the user domain account to the local users group

This seems to work fine, but I'm worried about possible problems caused by the removal of the two special groups.

Is there a better solution?

Best Answer

In the end here's what I did:

  • used the "Allow Log on locally" policy to allow only 'BUILTIN\Administrators', 'DOMAIN\Domain Admins' and 'allowlogon' groups. Where allowlogon is a local group on each machine
  • the allowlogon local group is created on each machine through GPP
  • on each machine just after joining to the domain it is enough to add the specified user to the allowlogon group and he'll be the only one allowed to logon (net localgroup allowlogon /add DOMAIN\user)
    • It's also possible to manage the allowlogon membership through AD without using more GPOs, but simply creating a global security group for each computer (allowlogon-computer1) and putting in there the users allowed to login. The allowlogon-computer1 group will need to be added to the local allowlogon group in computer1, but this can be done through GPP using allowlogon-%COMPUTERNAME% . (it doesn't seem to be possible to simply add the allowlogon-%COMPUTERNAME% to the "Allow log on locally" policy)
Related Topic