Harding, I think you should configure Logonon only to this computer in his account and leave that blanc. Not sure if that would work but that is the quick solution that pops up in my mind. regards, Hans Straat www.datacrash.net Subject: [gptalk] Prohibit 'Log On To' via GPO?Date: Fri, 8 Feb 2008 17:40:38 -0500From: dharding@xxxxxxxxxxxxxxxxxx: gptalk@xxxxxxxxxxxxx; ActiveDir@xxxxxxxxxxxxxxxxxx Is it possible to prohibit a group of users from logging on to any computer in a domain and only have the ability to authenticate? We need this for our VPN consultants. Devon Harding Windows Systems Engineer Southern Wine & Spirits - BSG 954-602-2469 This message is the property of Southern Wine & Spirits or its affiliates. It is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.