deny network access from a specific computer

We have a computer that previously had access to our network. However, I woild like to deny access to the network now. How can I set it up so that someone using that computer can not access network files? If it makes it easier, it is one user that I want to deny access to. Would it be easier to deny that specific user access instead of a computer?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Disable the NIC on the computer and make sure the user does not have local admin.  That way they can't re-enable it.
a few of ways to do this. If it is one user and you have Active Directory installed, create an Organisational Unit and move the user account and computer account into the OU. Setup a group policy denying access to the network / servers and restricting logon times etc.

If it is just the user account that you want to deny, then dont place the computer account into the OU, just leave the user account in it and that means that no matter what device on the network the user logs onto, they wont have access to the network as the group policy will always be applied

Disable the user account and change the password


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
There are a couple of ways you can do this:

- You can remove him from the NTFS file security on the files you don't want him to access.
- You can disable the NIC card as qiitjr mentioned.
- You can disable the person's user account.

If you could be more specific, I could help you better.   Do you still have the computer or did you sell it?  I guess I'm just not sure what the situation is.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Create a group call it whatever you want to call it - example "BadGuys".
Open up the account properties...member of tab...Add the group that you just created.
Hightlight the group and then set it as the primary group.
Remove the Domain User group and any other group that the account is a member of.

The user can lstill ogon to the computer but she/he can't access network resources provided that you have all shares controlled and assigned to the right group.
wpiitmAuthor Commented:
Thanks guys. I will give some of these a try and see how they work.

MatheusM:It is an employee that used to work for the company, but was laid off. He has worked out an agreement with the "higher ups" to be able to come into the office and use the computers for his own business that he is starting. Obviously, it is similar to what we do and I don't see it as a good idea for him to be able to access our project files.
Oh, that should be fairly simple.

Assign him a specific computer to use all of the time.
Remove that computer from your domain.  Make it a workgroup.
Setup a local id for him to use on that computer.
Do NOT setup a domain id for him.
If possible setup that computer on its own VLAN with its own IP subnet.

Without a domain id he can't access any resource in your network that needs domain authentication, which execpt for printers should be just about everything on the network.

If you set him up on his own VLAN with his own IP subnet then he can't see any network broadcast traffic from your network.  If he is on the same IP subnet as you, then he could see broadcast traffic, multicast traffic (if you have any), and every now and then a few unicast packets.

With the proper firewall rules, he could still access the Internet, but he would not be able to access any servers on your network.  If he needs to print, you could either setup a specific printer for him, or just let him print directly to printers on the network (bypassing any print servers you have).
you could firewall him off from everything.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.