[Question] How to list all AD Users accounts that can login to PC1 ?

Question

If PC1, PC2 joined an AD domain

Q1. If I am not the administrator of the AD Domain, but I am the local administrator of PC1, is there a way to list all AD Users accounts that can login to PC1 by local login or mstsc ?

Q2. Can all User accounts in AD domain be able to log in to PC1, PC2?
If I am an AD Domain administrator, a local administrator of PC1, but not a local administrator of PC2
Could I set ADUser1 can log in to PC1, but cannot log in to PC2 (login locally or mstsc) ?
Could I set ADUser2 can log in to PC2, but cannot log in to PC1 (login locally or mstsc) ?
How to set?

Thank you very much.

Answer 1

Hi @SHAO JUNG LU

To view the list of users that are able to logon to a PC, you need to look at the User Rights and the Allow Log on Locally right. To do this open secpol.msc and navigate to Security Settings -> Local Policies -> User Rights Assignment, and view the entries in the Allow log on locally. The members and the members of the group in this right can logon locally to the machine. Also check the Allow log on through Remote Desktop Service for user's that can logon via RDP.

Gary.

Answer 2

I suspect that all AD users will be able to logon to the machine, unless you have restricted this in AD.

A local login and AD login are slightly different things. When you login via AD, the account is cached on the machine, but this is not the same as a local login.

A local login is an account on the machine itself. Which if the machine is joined to AD, shouldn't really be needed. I always get squeamish when I read this types of post, as its means you aren't using AD to control the device fully. It's just a support nightmare. All of this should be controlled by AD and group policy. That is how restrictions should be applied to domain joined machines.

Remote desktop (mstsc) is just the method for accessing the PC.

Check the "Remote Desktop Users" local group to see who has access to do this.

To restrict AD users ability to logon to domain joined devices, it should be done within AD, using the logon to attribute on the account.

Answer 3

Hi GaryReynolds,

Answer 4

Hi NewbieJones-6218,

its means you aren't using AD to control the device fully.

It is not my job and privilege. I can not do thought I can do.

Actually, I am not the highest AD Domain administrator,
I am just PC1 local administrator forever.

I just only login and see AD Server by duties regulations,
though I has AD Domain administrator account/password temporary.
and a AD User Account that belong Domain Admins.

I want check and list all accounts that can login PC1 every month, including

1. PC1 account by login PC1 locally (computer self)
2. PC1 account by login PC1 remotely (other computer)
3. AD Domain account by login PC1 locally (computer self)
4. AD Domain account by login PC1 remotely (other computer)

I know how to do 1 and 2.

But How to do 3 and 4 on PC1 now ?

How to do 3 and 4 on PC1 if I am not AD Domain administrator and not Domain Admins ?

Answer 5

Hello

Thank you for your question and reaching out. I can understand you are having query related to Login methods in PC.

1. If you are not Local Admin on PC but if you have AD account then you can list all Information of users using LDAP query even if you are non-admin on AD but at least you should have AD account.
2. If PC1 and PC2 is joined to AD then yes by default all AD Users can login to any AD joined computer, But you can restrict they by GPO or Restricted Groups.

---------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--