Windows NT's Domain User Manager allows the account administrator to restrict an account to a specific workstation. It works. Unfortunately there is an availability issue. When the PC fails, that user can not login. Additionally with admin access, one can change the workstation name.

If you have budget money, there is a 3rd party utility UserLock which will provide that functionality. You could try the do-it-yourself solution laid out below.

Novell's SYSCON gives netware admins the ability to control the number of workstations that a user can login to simultaneously. There is no builtin capability to duplicate this functionailty in NT but it can be accomplished using domain user's shared home directories and the Resource Kit utility logout.exe. Network shares can be restricted to the allowed number of simultaneous connections. Set allowed connections equal to 1. When an employee attempts to login to the second workstation (without logging out of the first), this share property prevents the second netuse from completing. Use a global logon script to check for the existance of the share to the user's home directory. If successful, transfer execution to the personalized login script in the user's shared home directory. If not successful, generate a message re: policy against simultaneous logins to multiple workstations and run then run logout.exe to terminate the login process for that user.

Covers NT4 & NT2000. 3Ps covered well: policies, permissions, profiles.