I have an OU which contains students accounts. How can I prevent them to login on staff computers as bulk? Under user properties Log On to option is not usefull because one by one it takes ages. Environment: Win 2003 Ent domain and xp clients Thanks

One option would be to use the "Deny logon locally" user rights assignment setting and apply this via Group Policy to the staff computers.http://technet.microsoft.com/en-us/library/cc957048.aspxTony

Well, there are various ways to resolve this issue. Here is an easy way if you OU structure allows for it.If all of your "staff" computers are organized together AND your students all belong to at least one group in common such as "Students", you can always create a group policy object (GPO), link it to the OU containing the staff computers. In that GPO go to the following section:Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights AssignmentUnder "Deny Log on Locally" add the group that the students belong to. Once the policy applies to the computers, students will no longer be able to log into those computers.Reference:http://msdn.microsoft.com/en-us/library/ms813877.aspx Visit my blog: anITKB.com, an IT Knowledge Base.

Hi,Make sure You do a thorough check on whom you want to block, i have seen issues where in administrators add "all users " for deny logon locally and none of the users would be able to login .Then the only way is to edit the gpt template and remove "deny logon locally"I thought of presenting this as a check list :)