How to restrict use of a computer to one domain user only

This article describes how to restrict use of a computer to one domain user only.

Original product version:   Windows Server 2012 R2, Windows 10 - all editions
Original KB number:   555317

This article was written by Yuval Sinay, Microsoft MVP.

Symptoms

When you create trust connection/s from one domain(forest) to another, users have the option to sign in different domain/s than their home domain (The domain that host their account/s).

Cause

Trust connection/s from one domain to another or/and one forest to another enable user to log in different domain/s than their home domain (The domain that host their account/s). The "Authenticated Users" group on each computer allow users from trusted domain to be authenticated and logon to computer.

Resolution

Option A: Domain-Wide Policy

By using group policy capabilities in Windows 2000/2003 Domain, you can prevent from user/s to sign in to different domain/s than their home domain.

  1. Create a new domain-wide GPO and enable "Deny logon locally" user right to the source domain user account/sIn the target domain.

    Note

    Some services (Like Backup software services) may effect by this policy, and wouldn't function. To eliminate future problems, apply this policy and use GPO security filter feather.

    Deny logon locally

    Filter using security groups

  2. Run on Gpupdate /force on the domain controller.

Option B: Remove "NT AUTHORITY\Authenticated Users" uses from the list of users group

To eliminate the option of logging in one or few computers, follow the instructions bellow:

  1. Right-click "My Computer" icon on the desktop.

  2. Choose on "Manage".

  3. Extract "Local Users and Groups".

  4. Select on "Groups".

  5. On the right side of the screen, double-click "Users" group.

  6. Remove: "NT AUTHORITY\Authenticated Users" from the list.

  7. Add the require user/s or and group/s to the "Users" local group.

Option C: Configure "Deny logon locally" user right on the local computer/s

To eliminate the option of logging on one or few computers, follow the instructions bellow:

  1. Go to "Start" -> "Run".

  2. Write "Gpedit.msc"

  3. Enable "Deny logon locally" user right to the source domain user accounts.

    Note

    Some services (Like Backup software services) may effect by this policy, and wouldn't function.

    Deny logon locally

  4. Run Gpupdate /force on the local computer.

Option D: Use Selective Authentication when use Forest Trust

Creating Forest Trusts

More information

Community Solutions Content Disclaimer

MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.