How to restrict use of a computer to one domain user only
This article describes how to restrict use of a computer to one domain user only.
Original KB number: 555317
This article was written by Yuval Sinay, Microsoft MVP.
Symptoms
When you create trust connection/s from one domain(forest) to another, users have the option to sign in different domain/s than their home domain (The domain that host their account/s).
Cause
Trust connection/s from one domain to another or/and one forest to another enable user to log in different domain/s than their home domain (The domain that host their account/s). The "Authenticated Users" group on each computer allow users from trusted domain to be authenticated and logon to computer.
Resolution
Option A: Domain-Wide Policy
By using group policy capabilities in Windows 2000/2003 Domain, you can prevent from user/s to sign in to different domain/s than their home domain.
Create a new domain-wide GPO and enable "Deny logon locally" user right to the source domain user account/sIn the target domain.
Note
Some services (Like Backup software services) may effect by this policy, and wouldn't function. To eliminate future problems, apply this policy and use GPO security filter feature.
Deny logon locally
Filter using security groups
Run on
Gpupdate /force
on the domain controller.
Option B: Remove "NT AUTHORITY\Authenticated Users" uses from the list of users group
To eliminate the option of logging in one or few computers, follow the instructions bellow:
Right-click "My Computer" icon on the desktop.
Choose on "Manage".
Extract "Local Users and Groups".
Select on "Groups".
On the right side of the screen, double-click "Users" group.
Remove: "NT AUTHORITY\Authenticated Users" from the list.
Add the require user/s or and group/s to the "Users" local group.
Option C: Configure "Deny logon locally" user right on the local computer/s
To eliminate the option of logging on one or few computers, follow the instructions bellow:
Go to "Start" -> "Run".
Write "Gpedit.msc"
Enable "Deny logon locally" user right to the source domain user accounts.
Note
Some services (Like Backup software services) may effect by this policy, and wouldn't function.
Deny logon locally
Run
Gpupdate /force
on the local computer.
Option D: Use Selective Authentication when use Forest Trust
Creating Forest Trusts
More information
Community Solutions Content Disclaimer
Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.