At IU, in Active Directory, how can I prevent users from logging into a computer?

Note: The following information is intended for registered local support providers (LSPs) at Indiana University. If you are an LSP and have questions regarding the information in this document, contact LSP Services at lsps@iu.edu ; otherwise, contact your campus Support Center.

To prevent groups of users from logging into a Windows 2000 computer in the IU Active Directory, you need to either create a new group policy or edit an existing one. For more information about group policies, see In Microsoft Active Directory, what are group policies?

To create a new group policy, or edit an existing one:

Click Start and select Programs. Click Administrative Tools, and then choose Active Directory Users and Computers.
Right-click the domain or organizational unit (OU) to which you wish to apply the group policy, and then click Properties. In the resulting dialog box, click the Group Policy tab.
Click New to create a new Group Policy Object (GPO), and then click Edit. To edit an existing GPO, highlight it and click Edit.
In the Group Policy snap-in, under "Computer Configuration", click Windows Settings, then Security Settings, then Local Policies, and then User Rights Assignment.
In the "Details" pane, you can specify the users to whom you want to give or deny access:
- To specify the users to whom you want to give access, double-click the Log on locally policy.
- To specify the users to whom you want to deny access, double-click the Deny logon locally policy.
Check the box next to Define these policy settings in the template: . Click the Add... button.
Enter one username or group name at a time (e.g., ADS\BL-SPEA-ALL or IUB\Domain Users) in the User and group names box.

Also see:

This is document akcm in domain all.
Last modified on December 20, 2007.

Please tell us, did you find the answer to your question?