Restrict one user within a domain

We have one machine/user that needs to ONLY have access to One Server and One directory within that server, the other 8 servers are off access.  What is the best way to impliment this?  This user will have to VPN into out network for access to this server and folder, so he must still be a domain users (I think).
GlindacAsked:
Who is Participating?
 
Ev-Connect With a Mentor Commented:
How is your VPN currently setup?

Is it a;

- IPSEC VPN
- Windows ISA Server VPN

There two things that probably need to be done here.

First is to restrict a network segment (VPN) to only accessing one address (or range of addresses). Depending on how you have your VPN setup this will require you to add a rule to for your firewall or IPSEC tunnel to allow only access to hosts specified.

Secondly as mentioned above - Assigning access to a share to only 1 group, or a user. Taking Domain Users out of the users membership should work?

So there are two issues. Network layer security, the ability to connect to one or more hosts - and domain level security, restricting access to a share(s) based on users group membership.

Hope this has been some guidance, if anything.

Ev-
0
 
Yan_westCommented:
Easy, create a new group for this user, and give this group access to the desired directory. Remove all other access and group, even domain users..
0
 
GlindacAuthor Commented:
I did this and they still had access.  I removed them from domain users too.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
Yan_westCommented:
Hmm try going to ADUC, and go in the computer section. Right click the computer you want, properties.. Go to the security tab, add the user name, and click deny full access..

get back to me..
0
 
GlindacAuthor Commented:
Their computer or my servers individually?
0
 
Yan_westCommented:
on your domain controller..
0
 
GlindacAuthor Commented:
I know on the Domain controller...  On the list of the machines, I see the outbound machine (one to restrict) and I see the other machines but not the domain servers.  I added outbound to server4 (member server) and told it no access (unchecked) all the boxes, he could still get to the files on server4.
0
 
drtoto82Commented:
Well  , your user still has access to the other server because it is a member of other groups that has access permission to that other server.
To solve that problem , make a RESTRICTED group and add that user account to it and give that group that appropriate permission to that folder you want . then , on the security permission for the folder remove all the other groups, (especially the everyone group ) and add only this restriced group to the allowed ones.
You can also make an authentication certificate for that user and only allow access to that user (IPSEC allows the use of certificate authentication for VPN access.)
0
 
WerewolfTACommented:
Deny takes precedence over allow.  Specifically add that user (or if you anticipate needing to do this to more than one user, create a security group for this purpose; that way, you only have to set this up once and then just add users into the security group) to the volumes or folders under the Security (and/or Sharing, where applicable) tab that you want to keep him/her out of and check the deny boxes for what you want to keep them from doing.  This will keep them from doing those tasks whether it's reading, writing, or whatever even if they're part of a group that has allow rights to that same volume/folder.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.