Solved

Restrict one user within a domain

Posted on 2004-08-24
9
240 Views
Last Modified: 2010-04-11
We have one machine/user that needs to ONLY have access to One Server and One directory within that server, the other 8 servers are off access.  What is the best way to impliment this?  This user will have to VPN into out network for access to this server and folder, so he must still be a domain users (I think).
0
Comment
Question by:Glindac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886240
Easy, create a new group for this user, and give this group access to the desired directory. Remove all other access and group, even domain users..
0
 

Author Comment

by:Glindac
ID: 11886323
I did this and they still had access.  I removed them from domain users too.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886508
Hmm try going to ADUC, and go in the computer section. Right click the computer you want, properties.. Go to the security tab, add the user name, and click deny full access..

get back to me..
0
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

 

Author Comment

by:Glindac
ID: 11886557
Their computer or my servers individually?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886650
on your domain controller..
0
 

Author Comment

by:Glindac
ID: 11886805
I know on the Domain controller...  On the list of the machines, I see the outbound machine (one to restrict) and I see the other machines but not the domain servers.  I added outbound to server4 (member server) and told it no access (unchecked) all the boxes, he could still get to the files on server4.
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 11897567
Well  , your user still has access to the other server because it is a member of other groups that has access permission to that other server.
To solve that problem , make a RESTRICTED group and add that user account to it and give that group that appropriate permission to that folder you want . then , on the security permission for the folder remove all the other groups, (especially the everyone group ) and add only this restriced group to the allowed ones.
You can also make an authentication certificate for that user and only allow access to that user (IPSEC allows the use of certificate authentication for VPN access.)
0
 
LVL 1

Accepted Solution

by:
Ev- earned 500 total points
ID: 11899410
How is your VPN currently setup?

Is it a;

- IPSEC VPN
- Windows ISA Server VPN

There two things that probably need to be done here.

First is to restrict a network segment (VPN) to only accessing one address (or range of addresses). Depending on how you have your VPN setup this will require you to add a rule to for your firewall or IPSEC tunnel to allow only access to hosts specified.

Secondly as mentioned above - Assigning access to a share to only 1 group, or a user. Taking Domain Users out of the users membership should work?

So there are two issues. Network layer security, the ability to connect to one or more hosts - and domain level security, restricting access to a share(s) based on users group membership.

Hope this has been some guidance, if anything.

Ev-
0
 
LVL 4

Expert Comment

by:WerewolfTA
ID: 11913253
Deny takes precedence over allow.  Specifically add that user (or if you anticipate needing to do this to more than one user, create a security group for this purpose; that way, you only have to set this up once and then just add users into the security group) to the volumes or folders under the Security (and/or Sharing, where applicable) tab that you want to keep him/her out of and check the deny boxes for what you want to keep them from doing.  This will keep them from doing those tasks whether it's reading, writing, or whatever even if they're part of a group that has allow rights to that same volume/folder.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question