Solved

Restrict one user within a domain

Posted on 2004-08-24
9
236 Views
Last Modified: 2010-04-11
We have one machine/user that needs to ONLY have access to One Server and One directory within that server, the other 8 servers are off access.  What is the best way to impliment this?  This user will have to VPN into out network for access to this server and folder, so he must still be a domain users (I think).
0
Comment
Question by:Glindac
9 Comments
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886240
Easy, create a new group for this user, and give this group access to the desired directory. Remove all other access and group, even domain users..
0
 

Author Comment

by:Glindac
ID: 11886323
I did this and they still had access.  I removed them from domain users too.
0
 
LVL 15

Expert Comment

by:Yan_west
ID: 11886508
Hmm try going to ADUC, and go in the computer section. Right click the computer you want, properties.. Go to the security tab, add the user name, and click deny full access..

get back to me..
0
 

Author Comment

by:Glindac
ID: 11886557
Their computer or my servers individually?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 15

Expert Comment

by:Yan_west
ID: 11886650
on your domain controller..
0
 

Author Comment

by:Glindac
ID: 11886805
I know on the Domain controller...  On the list of the machines, I see the outbound machine (one to restrict) and I see the other machines but not the domain servers.  I added outbound to server4 (member server) and told it no access (unchecked) all the boxes, he could still get to the files on server4.
0
 
LVL 5

Expert Comment

by:drtoto82
ID: 11897567
Well  , your user still has access to the other server because it is a member of other groups that has access permission to that other server.
To solve that problem , make a RESTRICTED group and add that user account to it and give that group that appropriate permission to that folder you want . then , on the security permission for the folder remove all the other groups, (especially the everyone group ) and add only this restriced group to the allowed ones.
You can also make an authentication certificate for that user and only allow access to that user (IPSEC allows the use of certificate authentication for VPN access.)
0
 
LVL 1

Accepted Solution

by:
Ev- earned 500 total points
ID: 11899410
How is your VPN currently setup?

Is it a;

- IPSEC VPN
- Windows ISA Server VPN

There two things that probably need to be done here.

First is to restrict a network segment (VPN) to only accessing one address (or range of addresses). Depending on how you have your VPN setup this will require you to add a rule to for your firewall or IPSEC tunnel to allow only access to hosts specified.

Secondly as mentioned above - Assigning access to a share to only 1 group, or a user. Taking Domain Users out of the users membership should work?

So there are two issues. Network layer security, the ability to connect to one or more hosts - and domain level security, restricting access to a share(s) based on users group membership.

Hope this has been some guidance, if anything.

Ev-
0
 
LVL 4

Expert Comment

by:WerewolfTA
ID: 11913253
Deny takes precedence over allow.  Specifically add that user (or if you anticipate needing to do this to more than one user, create a security group for this purpose; that way, you only have to set this up once and then just add users into the security group) to the volumes or folders under the Security (and/or Sharing, where applicable) tab that you want to keep him/her out of and check the deny boxes for what you want to keep them from doing.  This will keep them from doing those tasks whether it's reading, writing, or whatever even if they're part of a group that has allow rights to that same volume/folder.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now