We help IT Professionals succeed at work.

Best Way To Lock Down a User Account In AD

I need to lock down external users who need to access specific servers on our network, but absolutely nothing else. They have domain accounts on our network.
What's the best way to do this?
Comment
Watch Question

Commented:
First off you need to remember even if they cant get through AD they can still mess around with your network (think printers, NAS, unpatched servers etc).

You should really consider some sort of firewall/ Layer3 type config to isolate them.

With AD I would make sure they only existed in their own group (make sure they are off the default one). Then add that group to whatever account they needed on the servers to operate their app/ service.

Author

Commented:
True, good call, as well as logon hours, and restricted computers.
Firewall they would need their own VPN profile which limits their access correct?
Sr. Systems Engineer
Commented:
First all domain users have default access to servers/stuff.. so you need to reverse that by making them guests instead of domain users.  Go in and change their default group (in member of tab) to 'domain guests' instead of domain users- this means they don't have access to anything default.  (This means they probably won't be able to print to printers as well .. just FYI if you want them to you have to change permissions on printers and other things than files if you go this route) You have to add domain guests, then set it as primary and remove domain users.   Then you have to go in and give access to what they should have access to.  You should create a group for them, put them in that group, then add that group to the NTFS permissions on the security tab for each folder/file they should have access to.  You may need to check the share permissions and make sure that group has access there to, since Everyone doesn't always include guests.  You may also need to go into user rights in policy editor ((gpedit.msc) on each server (they should have access to) and makes sure that there aren't any deny permissions set, and you may need to add them to access this computer from the network.  Last thing: the guest account has no password so DO NOT ENABLE the guest account.. domain guests however are accounts like guest but have a password so using this doesn't allow access to servers without a password. DO NOT ENABLE the GUEST account in Active Directory.
sdfkjsdf.jpg
2sdfkjsdf.jpg
Steve AgnewSr. Systems Engineer

Commented:
I read the previous comments from the network engineers.. what a headache.. Active Directory is very effective to completely isolate someone from a server if you do it right.. most people just don't have a good enough understanding of Active Directory to use is properly so they go the route of making their network more complex.. My recommendation is that if you understand networking well and can support making your network more complex and thus more difficult to maintain do that.. but if not- use active directory because it lets you control access and it's easier to troubleshoot and takes less support than going the networking route.. I always recommend keeping your networks simple because it makes one less thing you have to worry about when you have to troubleshoot.

Author

Commented:
Yes I like the AD approach, thank you!
I'll leave this case open for just a little while longer in case anyone else has anything to add.

Author

Commented:
Thanks guys.