Log On To Local Machines, With Local Accounts

Hello All Mates

I want to know , how can i disable the choice of log on to this computer
and just leave log on to the domain in all client computers

Best regards

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

benjiga69

You can probably use the Local Machine's GPO to deny local logons from a specific group like "users". I dont know if that will remove the option but I think it will keep them from logging on locally. :P

shrety

Thanks for reply , but i think this is not easy to go to every machine and configure the appropriate GPO

eurotrash

um create a GPO for the OU that contains the relevant computer objects.

shrety

_omni_ wrote:

um create a GPO for the OU that contains the relevant computer objects.

Unfortunately the GPO Just Deny log on to the machine, which means that it deny log on to the entire machine from the keyboard not only with local machine accounts

TeKniques

You should be able to apply the Deny Logon Locally GPO.

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignments -> Deny logon locally.

woodworm

Not sure I understand why you would want to do this?

anyway,

If a domain user logs on to the PC, then the domain will be the default choice next time the PC boots up

and

If you don't want people logging on locally, remove any local users, and change the password on the local admin? (they shouldn't know it anyway).

sprkymrk

The suggestions to apply a Group Policy denying logon locally will work. However, the problem is that you would have to deny each and every "local" account someone might create. If you deny to a group, such as "users", this will also preclude domain users from logging on locally.

I would recommend using the "Allow log on locally" setting, and set it to allow "Domain Users" (which will include all user accounts as long as they are in the domain, ie Domain Admins, Domain\joeblow, etc.) and for safety reasons also allow the local built-in "Administrator" account this right as well, just in case you encounter a network problem and can't log on to the domain (as in a bad NIC or something) you will need a local admin account log in to fix the problem.

shrety

Thanks for you all, i get the point