How to Prevent a Domain User from Logging into Other Domain Users' Computers?

Question

Hello everyone,

I'm currently managing a Windows domain environment, and I've encountered an issue where a domain user can log into any other domain user's computer. This poses a security concern for us, and we would like to restrict this ability.

Could anyone provide guidance on how to configure the domain or group policies to prevent domain users from logging into computers that are not assigned to them? Ideally, we want to limit users to only log into their own designated machines.

Thanks in advance for your help!

Answer 1

Hi AVIJIT DAS3,

Thank you for posting in the Microsoft Community Forums.

You can fulfill the requirement through Group Policy.

Create a new group policy in GPMC and click Edit. In the Group Policy Management Editor, navigate to:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

Click on User Privilege Assignments and find “Access this computer from the network” and “Deny access to this computer from the network” in the right window. Edit these two policies and add the corresponding user groups.

In the ADUC console, locate and right-click on the user you want to restrict and select “Properties”.

On the Accounts tab, click the Log On To button.

Select “Only the following computers” and add the names of the computers the user is allowed to log on to.

Then test the configured Group Policy to ensure that the new GPOs have been applied to the relevant Organizational Units (OUs) or domains.

Use the gpupdate /force command to refresh the Group Policy on the client computers.

Test that users can only log on to the specified computer.

Best regards

Neuvi Jiang