I want to limit user logins. Currently when you are at the login screen the user has the ability to select multiple domains (1 of 5 domains) on our network. I want to enforce a domain wide group policy that restricts it so that only users of a particular domain (C_DOMAIN) have access to its domain PCs (workstation@c-doamin). Our DC are running Windows 2003 Server and all of our workstations are running Windows XP Pro. Example: login drop down menu shows A_DOMAIN B_DOMAIN C_DOMAIN D_DOMAIN E_DOMAIN I want it so only user@CDOMAIN has the ability to login to C_DOMAIN PC. Can not do anything with Trust we share to many data base. We are not trying to prevent accessing shares on C_DOMAIN that have they have permissions too, nor do we want to block C_DOMAIN users from accessing shares on the other 4 domains if they have permissions too. We are trying to prevent them from using C_DOMAINs workstations. Each domain is a different agency. The situation is the users in Domain A and D do not have Internet access on the workstations in their domain. Thus they login to C_DOMAIN PC once in a while, so they can surf the web. Plus we just do not want them being able to login on C_DOMAIN PCs. I was hoping to find a group policy that would solve this problem. Thanks for your assistance, Greg

What you write implies the same user account exists in all domains. Why? If only c_domain users existed in c_domain then only those users could logon to that domain. Someone from d_domain would logon to d_domain and then gain resource access of c_domain via transitive trust. Kind of a strange AD setup. Why so main domains?

Ditto what wanderer said. However, why not just add the "allowed" computers into each user's profile? Thus, preventing them from logging into ones they shouldn't be allowed to access. EEOC

Each domain is a different agency and we share a number of data bases. What we do not is userJohnDoe@A_DOMAIN being able to login to his domain using Workstation22@C_DOMAIN. Each domain has its own gateway. So when userJohnDoe@A_DOMAIN login on Workstation22@C_DOMAIN he has Internet access where if he logins in Workstation##@A_DOMAIN he would not. Also since he works for a different agency he does not need to be on a PC belonging to C_DOMAIN.

Someone came up with a solution on a different forum here is what they suggested. Group Policy - Computer Configuration - Windows Settings - Security Settings - Local Policy - User Rights Assignment - Allow Logon Locally Grant the "Allow Logon Locally" to the Groups that you want to have the right. Assign the Policy to the Container that holds the Machines in your Domain. They also suggested adding the logon legal notice to those same PCs.

As I said, restrict the logins by entering the computer names in the user's profiles. EEOC