?
Solved

Restrict one user within a domain

Posted on 2004-08-24
9
Medium Priority
?
243 Views
Last Modified: 2010-04-11
We have one machine/user that needs to ONLY have access to One Server and One directory within that server, the other 8 servers are off access.  What is the best way to impliment this?  This user will have to VPN into out network for access to this server and folder, so he must still be a domain users (I think).
0
Comment
Question by:Glindac
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886240
Easy, create a new group for this user, and give this group access to the desired directory. Remove all other access and group, even domain users..
0
 

Author Comment

by:Glindac
ID: 11886323
I did this and they still had access.  I removed them from domain users too.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886508
Hmm try going to ADUC, and go in the computer section. Right click the computer you want, properties.. Go to the security tab, add the user name, and click deny full access..

get back to me..
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 

Author Comment

by:Glindac
ID: 11886557
Their computer or my servers individually?
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886650
on your domain controller..
0
 

Author Comment

by:Glindac
ID: 11886805
I know on the Domain controller...  On the list of the machines, I see the outbound machine (one to restrict) and I see the other machines but not the domain servers.  I added outbound to server4 (member server) and told it no access (unchecked) all the boxes, he could still get to the files on server4.
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 11897567
Well  , your user still has access to the other server because it is a member of other groups that has access permission to that other server.
To solve that problem , make a RESTRICTED group and add that user account to it and give that group that appropriate permission to that folder you want . then , on the security permission for the folder remove all the other groups, (especially the everyone group ) and add only this restriced group to the allowed ones.
You can also make an authentication certificate for that user and only allow access to that user (IPSEC allows the use of certificate authentication for VPN access.)
0
 
LVL 1

Accepted Solution

by:
Ev- earned 1500 total points
ID: 11899410
How is your VPN currently setup?

Is it a;

- IPSEC VPN
- Windows ISA Server VPN

There two things that probably need to be done here.

First is to restrict a network segment (VPN) to only accessing one address (or range of addresses). Depending on how you have your VPN setup this will require you to add a rule to for your firewall or IPSEC tunnel to allow only access to hosts specified.

Secondly as mentioned above - Assigning access to a share to only 1 group, or a user. Taking Domain Users out of the users membership should work?

So there are two issues. Network layer security, the ability to connect to one or more hosts - and domain level security, restricting access to a share(s) based on users group membership.

Hope this has been some guidance, if anything.

Ev-
0
 
LVL 4

Expert Comment

by:WerewolfTA
ID: 11913253
Deny takes precedence over allow.  Specifically add that user (or if you anticipate needing to do this to more than one user, create a security group for this purpose; that way, you only have to set this up once and then just add users into the security group) to the volumes or folders under the Security (and/or Sharing, where applicable) tab that you want to keep him/her out of and check the deny boxes for what you want to keep them from doing.  This will keep them from doing those tasks whether it's reading, writing, or whatever even if they're part of a group that has allow rights to that same volume/folder.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question