deny network access from a specific computer

Posted on 2009-05-21
Medium Priority
Last Modified: 2013-12-04
We have a computer that previously had access to our network. However, I woild like to deny access to the network now. How can I set it up so that someone using that computer can not access network files? If it makes it easier, it is one user that I want to deny access to. Would it be easier to deny that specific user access instead of a computer?
Question by:wpiitm
LVL 57

Expert Comment

ID: 24446065
Disable the NIC on the computer and make sure the user does not have local admin.  That way they can't re-enable it.
LVL 10

Accepted Solution

kgreeneit earned 500 total points
ID: 24446125
a few of ways to do this. If it is one user and you have Active Directory installed, create an Organisational Unit and move the user account and computer account into the OU. Setup a group policy denying access to the network / servers and restricting logon times etc.

If it is just the user account that you want to deny, then dont place the computer account into the OU, just leave the user account in it and that means that no matter what device on the network the user logs onto, they wont have access to the network as the group policy will always be applied

Disable the user account and change the password


Assisted Solution

MatheusM earned 500 total points
ID: 24446130
There are a couple of ways you can do this:

- You can remove him from the NTFS file security on the files you don't want him to access.
- You can disable the NIC card as qiitjr mentioned.
- You can disable the person's user account.

If you could be more specific, I could help you better.   Do you still have the computer or did you sell it?  I guess I'm just not sure what the situation is.
Managed Security Services Webinar - March 15

Selecting the right managed security services platform to grow your business can be a huge undertaking. Join WatchGuard and Frost & Sullivan in an upcoming webinar as we dive into the key elements of selecting a vendor platform and partnership to fuel a successful MSSP business.


Assisted Solution

swhcs earned 500 total points
ID: 24447167
Create a group call it whatever you want to call it - example "BadGuys".
Open up the account properties...member of tab...Add the group that you just created.
Hightlight the group and then set it as the primary group.
Remove the Domain User group and any other group that the account is a member of.

The user can lstill ogon to the computer but she/he can't access network resources provided that you have all shares controlled and assigned to the right group.

Author Comment

ID: 24449771
Thanks guys. I will give some of these a try and see how they work.

MatheusM:It is an employee that used to work for the company, but was laid off. He has worked out an agreement with the "higher ups" to be able to come into the office and use the computers for his own business that he is starting. Obviously, it is similar to what we do and I don't see it as a good idea for him to be able to access our project files.
LVL 57

Assisted Solution

giltjr earned 500 total points
ID: 24450044
Oh, that should be fairly simple.

Assign him a specific computer to use all of the time.
Remove that computer from your domain.  Make it a workgroup.
Setup a local id for him to use on that computer.
Do NOT setup a domain id for him.
If possible setup that computer on its own VLAN with its own IP subnet.

Without a domain id he can't access any resource in your network that needs domain authentication, which execpt for printers should be just about everything on the network.

If you set him up on his own VLAN with his own IP subnet then he can't see any network broadcast traffic from your network.  If he is on the same IP subnet as you, then he could see broadcast traffic, multicast traffic (if you have any), and every now and then a few unicast packets.

With the proper firewall rules, he could still access the Internet, but he would not be able to access any servers on your network.  If he needs to print, you could either setup a specific printer for him, or just let him print directly to printers on the network (bypassing any print servers you have).

Expert Comment

ID: 24500012
you could firewall him off from everything.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Take advantage of one of the most useful technologies available - virtualization!
The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question