Active Directory Security

I have a few users that have domain accounts, but are not part of my company.  They need domain accounts to access a server via RDP that's on my network.  How can I ensure that those specific users ONLY have access to logon to the specified server to use that application and no other access?  Since they are part of the "domain users" group, I'm assuming they have more access to other things on my network, like file sharing, etc.....
How do I block access to everything, except that one server only?
DanNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin OwensITIL Problem ManagerCommented:
In ADUC, go to the Account tab.  There, you will see a button for "Log On To...".  Change "All Computers" to "The following computers" and list your RDP server which they access.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You can set which server the users are allowed to log on to. Open ADUC - properties of the user object - Account tab - Log On To... button. Add the host name of the allowed server.

AD is read for authenticated users, so you can't stop them for lurking in your AD.

You can lock them down a little with GPOs, but how far you wanna go is up to you :)

When you create the users in your domain they are implicit members of "domain users" and therefore have access to all resources this group is authorized.
A somewhat bigger / more secure solution is to create a separate domain and create a trust relationship to your primary domain. When you configure it for "selective authentication" for the trust relationship you can decide very granulary what resources these users have access to. For a first start regarding this please check out this link:
If you have additional questions please don't hesitate to ask.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

DanNetwork EngineerAuthor Commented:
Thanks everyone, I have added the server  in the account tab to whcih I want them to have access to.
But is there  a way for them to not be able to "view" the network and all the different file shares?

Do you have a link of creating a second domain?  Then I'll follow the directions in creating the trust relationship as outlined in the document.
If they need access to a server with RDP, it will not help you creating a second domain with a trust.

If you just want them to access the server with RDP, you can create a new group, ie. "ExternalUsers" and add those external users to this group.

Set the "ExternalUsers" group as members of the Remote Desktop Users on the server. Add those users to the Domain Guests (AD group) and set this as the primary group.

Now you can remove them from the Domain Users (AD Group) if you are worried they will get access to resources set to domain users.

They will still be able to browse file shares and your AD.
DanNetwork EngineerAuthor Commented:
creating a 2nd domain seems a bit over kill I suppose, I don't think I have the time to look into that now. So by adding them to only ExternalUsers, lets say, and removing them from the domain users group, they will still have access browse network  locations?
Create a new group in AD and give it the permissions you want with group policy.  Take the users out of every other group they are in and add them to the new one.

You could always make another group and DENY them privileges to the servers you don't want them to get access to, but that can get confusing if someone accidentally slips into the group.
it could be faster/easier to copy the current domain users group and edit it then change the user's membership to the new one.
DanNetwork EngineerAuthor Commented:
how would I do that, how do I copy the current domain users group?  

Wouldn't be better to just create a new group, so start fresh so they don't have any access what so ever?
Regarding This Response

Browsing your network is a byproduct of having NetBIOS enabled on your network. Disabling NetBIOS will solve your browsing problem.... but for everyone, period.

As far as removing the icon for browsing your network, please see this.

As a matter of network policy, regarding NetBIOS (personal opinion alert!): Unless the NetBIOS protocol is required by some piece of software (very few programs these days do), I disable NetBIOS on all network interfaces.

This solves users browsing the network completely. As far as the 'convenience' that browsing gives your users... this is false. You should provide either UNC shortcuts on the desktop (or a folder on the desktop) or mapped drives. Users should never be required to manually seek out resources. They should be provided automagically by an administrator.
DanNetwork EngineerAuthor Commented:
Yea, but the only problem is that users that I'm tyring to not allow to browse the network are not in my domain, they are external users, using VPN to get access to my network, so I don't control or manage their PCs.
DanNetwork EngineerAuthor Commented:
Thanks everyone for your input.  I've only given the users access to my terminal server in AD.  Then I've put all of them in a group, and removed the default domain users group.

For only 7 users, it's to much of a hassle to create another domain, as I can't control their netBIOS settings anyways.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.