[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Restrict one user within a domain

Posted on 2004-08-24
9
Medium Priority
?
248 Views
Last Modified: 2010-04-11
We have one machine/user that needs to ONLY have access to One Server and One directory within that server, the other 8 servers are off access.  What is the best way to impliment this?  This user will have to VPN into out network for access to this server and folder, so he must still be a domain users (I think).
0
Comment
Question by:Glindac
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886240
Easy, create a new group for this user, and give this group access to the desired directory. Remove all other access and group, even domain users..
0
 

Author Comment

by:Glindac
ID: 11886323
I did this and they still had access.  I removed them from domain users too.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886508
Hmm try going to ADUC, and go in the computer section. Right click the computer you want, properties.. Go to the security tab, add the user name, and click deny full access..

get back to me..
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Glindac
ID: 11886557
Their computer or my servers individually?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886650
on your domain controller..
0
 

Author Comment

by:Glindac
ID: 11886805
I know on the Domain controller...  On the list of the machines, I see the outbound machine (one to restrict) and I see the other machines but not the domain servers.  I added outbound to server4 (member server) and told it no access (unchecked) all the boxes, he could still get to the files on server4.
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 11897567
Well  , your user still has access to the other server because it is a member of other groups that has access permission to that other server.
To solve that problem , make a RESTRICTED group and add that user account to it and give that group that appropriate permission to that folder you want . then , on the security permission for the folder remove all the other groups, (especially the everyone group ) and add only this restriced group to the allowed ones.
You can also make an authentication certificate for that user and only allow access to that user (IPSEC allows the use of certificate authentication for VPN access.)
0
 
LVL 1

Accepted Solution

by:
Ev- earned 1500 total points
ID: 11899410
How is your VPN currently setup?

Is it a;

- IPSEC VPN
- Windows ISA Server VPN

There two things that probably need to be done here.

First is to restrict a network segment (VPN) to only accessing one address (or range of addresses). Depending on how you have your VPN setup this will require you to add a rule to for your firewall or IPSEC tunnel to allow only access to hosts specified.

Secondly as mentioned above - Assigning access to a share to only 1 group, or a user. Taking Domain Users out of the users membership should work?

So there are two issues. Network layer security, the ability to connect to one or more hosts - and domain level security, restricting access to a share(s) based on users group membership.

Hope this has been some guidance, if anything.

Ev-
0
 
LVL 4

Expert Comment

by:WerewolfTA
ID: 11913253
Deny takes precedence over allow.  Specifically add that user (or if you anticipate needing to do this to more than one user, create a security group for this purpose; that way, you only have to set this up once and then just add users into the security group) to the volumes or folders under the Security (and/or Sharing, where applicable) tab that you want to keep him/her out of and check the deny boxes for what you want to keep them from doing.  This will keep them from doing those tasks whether it's reading, writing, or whatever even if they're part of a group that has allow rights to that same volume/folder.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
Experts Exchange expands question security options for members.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question