How To: Restrict Machine Logon & Network Access to a members of an Active Directory Group

If you want to Restrict machine Logon & Network Access to a members of an Active Directory Group you can do so using the following procedure:

  1. Create a group which contains the ids for the users who will be allowed access to the PCs in question
  2. If nessecary, create an organisational unit which contains the PCs that are to be restricted.
  3. Create a new group policy on the OU
  4. Expand Computer configuration…Windows Settings…Security Settings…Local Policies…User Rights Assignment
  5. Double click Access This Computer From the Network and click on Add – add the newly created user group
  6. Double click Logon Locally and click on Add – add the user group created at Step 1. Make sure you include the builtin Administrators group with this setting or you could lock yourself out of the machine!


This entry was posted in ActiveDirectory by James. Bookmark the permalink.

About James

I am an Infrastructure Systems Administrator in the Infrastructure Systems Group (ISG) within ISS. We are responsible for a number of the core services which support the IT Infrastructure of the University including Active Directory, Exchange, DNS, Central Filestore, VMware and SQL. I hold number of current Microsoft Certifications and am also a Symantec Certified Specialist (Netbackup)

Leave a Reply

Your email address will not be published. Required fields are marked *