In Active Directory, I want to prevent a user from logging into the one computer, a client running XP Pro. I tried the local policy to do that, but when I restart the computer, the user disappears and can STILL log on again. I think its something dealing with my Active Directory set up. How do I simply deny that user from logging into that ONE computer using active directory? In user properties, there is a setting which allow log on, but I want to deny log on, not allow log on to that computer. Help would be appreciated. Thanks. OtheHill: Computing.net Experts. Example: The OtheHills refuse to answer my question when I asked them how to simply remove the Windows NT/2K/XP Password.

In active directory users and computers double click on this user. go to the account tab. Note the "log on to.." button. You have to list all computers but the one you don't want them logging onto. Example of Oxymoron: Person who is pro life and anti sex education. Education is key to prevention. Prevent conception you prevent abortion. Abstinence training clearly isn't working.

So I would have to spend like several hours typing the thousand computers in my network just to prevent that one computer from logging on? Isn't there an easier way? OtheHill: Computing.net Experts. Example: The OtheHills refuse to answer my question when I asked them how to simply remove the Windows NT/2K/XP Password.

Seems to be more of a childish task rather than a business requirement. Why not tell the person to not log on? "Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10

I wasn't trying to be childish and asking the user not to use that computer totally is defeating the purpose here. In Active Directory, I created a seperate Organizational Unit for just that one computer. Then I created a Group Policy Object for Local Policy to deny login local for that one user. I wish there was a better way of doing this, will see if works when that user tries to log on again. OtheHill: Computing.net Experts. Example: The OtheHills refuse to answer my question when I asked them how to simply remove the Windows NT/2K/XP Password.

A deny in AD is trump to all. Be sure you don't deny a group that do need access. "Best Practices", Event viewer, host file, perfmon, antivirus, anti-spyware, Live CD's, backups, are in my top 10

Thanks for the advice, Jefro. I don't need to deny the person anymore, so I restored it back. OtheHill: Computing.net Experts. Example: The OtheHills refuse to answer my question when I asked them how to simply remove the Windows NT/2K/XP Password.