How to restrict use of computers to several domain user only

hi,

I've an active directory on win2003 server. There are around 100 employees in my company. I have separate OUs for each Department and in each Department OU i've separate OUs for computers, groups and users.

All my domain computers are Windows XP with Service pack 2.

I've a problem.

Usually several users log into a single PC in our company and those same PCs have valuable data which should not accessed by other users. So other domain users should not log into that PC other than the allowed users. (only in some departments). Some departments have several PCs in such manner.

So the problem is that i cant add another OU for such PC and give a GPO restricting "deny logon locally" because i have to create 30 OUs if there are 30 PCs in my domain that several users login.

So is there a way that i can restrict specific Domain computer to be logged in by only allowed domain users and there are several PCs in each department. and i need to applyu the same rule to them accordingly.

It's like for a PC in finance department...

(Finance-PC-A) , only allowed users can login (USER-A,USER-B)
(Finance-PC-B) , only allowed users can login (USER-C,USER-D)

Thanx & Regards,
Tharaka

You need to manage the user rights for logon locally and deny logon locally to do what you want. Keep in mind however that deny logon locally trumps logon locally so be careful and try to manage those user rights. For instance you could create a global group, add users to that global group that you do not want to logon to a computer and then add that group to the deny logon locally user right for that computer. That can also be applied at the OU level for computer accounts that exist in the OU via a Group Policy linked to that OU.