– At the DC level (deny to authenticate): via ADUC, select user’s object properties, Logon to : add list of computers      ; works for Windows and also for Unix-based computers (that can be authenticated against a Domain Controller (Centrify, Vintela, Kerb v5,Samba)

– by GPO (client side):

Security Settings, Local policies, User rights assignement, Deny log on locally, Deny access to this computer from the network  ; but only for Windows based computers

Note: this policy is not understood by Centrify-based agent on Unix box !

To restrict the access to a Unix based computer:

– Use Centrify Direct Authorize 2011 / 2012

Note: Centrify 2012 brings more flexibility in terms of  rights and roles ; DZ apply roles and rights at the PAM level

– Normal way on Unix-based computer: PAM files, /etc files