binnykuriakose
asked on
blocking access to servers using AD
Is there a way to prevent access for specfic users to a server in a AD domain such that when the user tries to access the server in any manner, they will get "Access Denied" or similar. i.e., from the start menu, the user types: \\servername, and they will not see the shares or anything - they will get no access.
ASKER
The access level I would like the user to have is: No access. How is that configured? This means even if they type: \\servername from a command prompt, they will get no access to the server.
as said if the users are defualt member of the domain admins they would be able to access the any servers . but i thnk may be you can try this out by going tot he computer local policy and then adding the user in the deny user from acceesing fromt he network.... i have not tied out his personally but you can try this out..
Hope thus helps.
Cheers:)
Kamal
Hope thus helps.
Cheers:)
Kamal
You do NOT want to start having people accessing servers using local accounts rather than domain accounts - that is a recipe for disaster and will become a nighmare to manage. You cannto remove people from the Domain Users Group, other than have them log on locally, membership o Domain Users is automatic. If you dont want a user to have access to a server just use the normal NTFS and share permissions
ASKER
Ok, so if new shares are added to servers, this has to be constantly managed? There is not a way to do this in AD so that it is centrally managed such that certain users are abosultely locked out of servers, not just specific shares/directories of servers?
ya i think the best way is to add NTFS permissions to the new folder you create. to me life more easy create group so rather adding the many user just add the group and if you want you can remove the user from the group.
Hope this helps
Cheers:)
Kamal
Hope this helps
Cheers:)
Kamal
ASKER
This was resolved by using the "Access this comptuer from the network" GPO polcy.
If you want the shares to be hidden from the window when you type the servername in you could put a dollar sign on the end of the share. The window would just be empty. Granted this would hide the shares from all users. But any legit users would probably have mapped network drives which would work fine, but if a restricted user did happen to find what the share name was they'd just be bounced with an access denied message.
ASKER
Again, this would not be a god solution since you would have to manage constantly. The solution I mentioned above would work better to centrally manage the server.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hope this helps
Cheers:)
Kamal