Home / Solution / Workstation Logon Restrictions for AD Users (Log On To)

Workstation Logon Restrictions for AD Users (Log On To)

By default, if you , they’re mechanically added to the Domain Users group. In its flip, the Domain Users group is by default added to the native Users group on a website workstation when it’s joined to the AD area. This implies that any area consumer can go surfing to any laptop within the area community. In this text we’ll contemplate the principle methods of easy methods to limit consumer logon to the area computer systems.

Restricting User Account to Logon Only to the Specific AD Computers

In small domains you’ll be able to limit the consumer logon to area computer systems within the properties of every consumer account within the Active Directory. For instance, you need to enable a particular consumer to go browsing to his computer systems solely. To do it:

  1. Run the ADUC snap-in (Active Directory Users and Computers) by working dsa.msc command;
  2. Using the , discover the consumer account you need to limit entry and open its properties;
  3. Go to the Account tab and click on on the “Log On To” button. ad user account properties
  4. As you’ll be able to see, the consumer is allowed to go browsing to all area computer systems (The consumer can go surfing to: All computer systems). To enable a consumer to entry solely the precise computer systems, choose The following computer systems possibility and add the names of the computer systems a consumer can go surfing to;ad user property - logon workstations option

    Note. You should specify the complete NetBIOS or DNS laptop identify (don’t use wildcards). The worth just isn’t case-sensitive.

  5. You can add as much as 64 computer systems to this listing. If you attempt to add a 65th laptop, the next error message seems: This property is restricted to 64 values. You should take away a few of the present values earlier than you'll be able to add new ones; LogonWorkstations This property is limited to 64 values
  6. Save the modifications. Now the consumer is limit to logon solely to the required AD computer systems.

How to Modify the LogonWorkstations Attribute in PowerShell?

It is sort of tiresome to limit consumer logon to area computer systems manually. You can automate this motion with PowerShell. The listing of computer systems a consumer is allowed to go browsing to is saved within the AD consumer attribute “LogonWorkstations”. For instance, our activity is to permit a particular consumer to go browsing solely to the computer systems, which names are listed within the textual content file computer systems.csv.

The script can appear like this:

Import-Module ActiveDirectory
$ADusername = ‘asmith’
$complist = Import-Csv -Path "C:PScomputers.csv" | ForEvery-Object
$comparray = $complist -join ","
Set-ADUser -Identity $ADusername -LogonWorkstations $comparray
Clear-Variable comparray

powershell script to restrict ad logonworkstations

Using the cmdlet, you’ll be able to show the listing of computer systems a consumer is allowed to go browsing to.

Get-ADUser $ADusername -Properties LogonWorkstations | Format-List Name, LogonWorkstations

Or you’ll be able to view the listing of computer systems within the ADUC console.

active directory logon workstations restriction

To add a brand new laptop identify to the listing, use this command:

$Wks = (Get-ADUser asmith-Properties LogonWorkstations).LogonWorkstations
$Wks += ",man-b2-wks2"
Set-ADUser asmith -LogonWorkstations $Wks

How to Restrict Users to Logon to the AD Workstation Using GPO?

In giant domains, it’s not possible to make use of LogonWorkstations consumer attribute to limit consumer entry to computer systems as a consequence of some limitations and the shortage of flexibility. Usually to forestall customers from logging on to some computer systems, group insurance policies are used.

You can limit the listing of customers within the native group Users utilizing the Restricted Groups coverage (Windows Settings -> Security Settings), however we’ll contemplate another choice.

There are two group insurance policies situated within the GPO part Computer Configuration -> Policies -> Security Settings -> Local Policies -> User Rights Assignment:

  • Deny go surfing domestically – permits to limit native logon to workstation for particular customers or teams;
  • Allow go surfing domestically – accommodates the listing of customers who’re allowed to go browsing to a pc domestically.

For instance, to forestall customers of a specific group from logging on to computer systems within the sure Active Directory OU, you’ll be able to create a separate consumer group, add it to the Deny go surfing domestically coverage and hyperlink the coverage to the OU containing the computer systems you need to limit logon to.

Deny log on locally policy

gpo to deny local logon workstation

In giant AD domains you should use a mix of those insurance policies. For instance, you need to limit customers from logging on to computer systems in different OUs.  To do it, create a safety group in every OU and add all OU customers to it.

Tip. Users of the precise OU might be mechanically added to your safety group utilizing the Get-ADUser and PowerShell cmdlets with the assistance of the next script:

Import-module ActiveDirectory
$rootOU = “OU=Users,OU=UK,DC=corp,DC=woshub,DC=com”
$group = “corplon-users”
Get-ADUser -SearchBase $rootOu -Filter * | ForEvery-Object

Then allow the “Allow go surfing domestically” coverage, add this group to it (in addition to totally different administrator teams: Domain Admins, workstation admins, and many others.) and assign the coverage to the OU with the computer systems. Thus, you’ll enable solely the precise OU customers to go browsing to the computer systems.

If a consumer from totally different OU (who just isn’t allowed to go browsing domestically) tries to go browsing laptop, a window with the next message will seem:

You can’t go surfing as a result of the logon technique you might be utilizing just isn’t allowed on this laptop.  Please see your community administrator for extra data.


The sign-in technique you are attempting to make use of isn’t allowed. For extra data, contact your community administrator.

The sign-in method you are trying to use isn’t allowed. For more info, contact your network administrator

Here are some essential notes relating to logon restriction insurance policies:

  • Don’t use these insurance policies to limit entry to the servers or AD area controllers;
  • Don’t allow these insurance policies by way of built-in GPOs: Default Domain Policy or Default Domain Controllers Policy;
  • A proscribing coverage has greater precedence;
  • Don’t overlook about service accounts (together with ), which can be utilized to run companies on computer systems (servers);
  • Don’t use the insurance policies that limit native entry to your complete area. Link them solely to the precise OUs.

Check Also

PowerShell: Generating QR Code for Wi-Fi Network in Windows 10

You can use PowerShell to generate QR codes to share with your mates or colleagues. …

Leave a Reply

Your email address will not be published. Required fields are marked *