Link to home
Create AccountLog in
Avatar of binnykuriakose
binnykuriakose

asked on

blocking access to servers using AD

Is there a way to prevent access for specfic users to a server in a AD domain such that when the user tries to access the server in any manner, they will get "Access Denied" or similar.  i.e., from the start menu, the user types: \\servername, and they will not see the shares or anything - they will get no access.
Avatar of kamalgopi
kamalgopi

One effective method of doing this would be to add the user to a group that you create (for example Server A Users) and then remove them from the domain users group. Next, make the group that you created a member of the appropriate local groups on the server to grant them the level of access you desire. For example, if you want them to be just a regular user, you can add the global group to the local "Users" group.

Hope this helps
Cheers:)
Kamal
Avatar of binnykuriakose

ASKER

The access level I would like the user to have is: No access.  How is that configured?  This means even if they type: \\servername from a command prompt, they will get no access to the server.
as said if the users are defualt member of the domain admins they would be able to access the any servers . but i thnk may be you can try this out by going tot he computer local policy and then adding the user in the deny user from acceesing fromt he network.... i have not tied out his personally but you can try this out..

Hope thus helps.
Cheers:)
Kamal
Avatar of Brian Pierce
You do NOT want to start having people accessing servers using local accounts rather than domain accounts - that is a recipe for disaster and will become a nighmare to manage. You cannto remove people from the Domain Users Group, other than have them log on locally, membership o Domain Users is automatic. If you dont want a user to have access to a server just use the normal NTFS and share permissions
Ok, so if new shares are added to servers, this has to be constantly managed?  There is not a way to do this in AD so that it is centrally managed such that certain users are abosultely locked out of servers, not just specific shares/directories of servers?
ya i think the best way is to add NTFS permissions to the new folder you create. to me life more easy create group so rather adding the many user just add the group and if you want you can remove the user from the group.

Hope this helps
Cheers:)
Kamal
This was resolved by using the "Access this comptuer from the network" GPO polcy.
If you want the shares to be hidden from the window when you type the servername in you could put a dollar sign on the end of the share. The window would just be empty.  Granted this would hide the shares from all users.  But any legit users would probably have mapped network drives which would work fine, but if a restricted user did happen to find what the share name was they'd just be bounced with an access denied message.
Again,  this would not be a god solution since you would have to manage constantly.  The solution I mentioned above would work better to centrally manage the server.
ASKER CERTIFIED SOLUTION
Avatar of Vee_Mod
Vee_Mod
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer