Active Directory: Workstation Logon Restrictions (Log On To)

Account - Log On To (setting)I think the “Log On To” setting within the Account tab of an Active Directory user could easily be overlooked. As simple as this setting is, it’s very easy to forget about it in favor of something more elaborate when attempting to restrict user access to specific computers.

Let’s say you want to allow a vendor access to a few servers in your Active Directory domain. Let’s assume you’ve given them some kind of secure gateway access to your network (VPN, separate vendor Citrix XenApp farm and domain, etc.). How do you restrict them to only the servers they need access to? An old school method would be to create a local Windows account on each server to bypass Active Directory. That way they only have the access they need on each server and have no access to your domain. But an easier method, that only requires one Active Directory user account, is to use the “Log On To” setting.

Log On To — Click to specify workstation logon restrictions that will allow this user to log on only to specified computers in the domain. By default, a user is able to log on at any workstation computer that is joined to the domain. Note that this control does not affect the user’s ability to log on locally to a computer using a local computer account instead of a domain account.

Simply change the “Log On To” setting from the default “All computers” to “The following computers” and then specify the computer name(s). Now the vendor can only login to those specified computers.

Account - Log On To (setting) - The following computers

Easy. Right?

Please share your thoughts