Active Directory Security

I have a few users that have domain accounts, but are not part of my company.  They need domain accounts to access a server via RDP that's on my network.  How can I ensure that those specific users ONLY have access to logon to the specified server to use that application and no other access?  Since they are part of the "domain users" group, I'm assuming they have more access to other things on my network, like file sharing, etc.....
How do I block access to everything, except that one server only?
DanNetwork EngineerAsked:
Who is Participating?
Justin OwensConnect With a Mentor ITIL Problem ManagerCommented:
In ADUC, go to the Account tab.  There, you will see a button for "Log On To...".  Change "All Computers" to "The following computers" and list your RDP server which they access.

snusgubbenConnect With a Mentor Commented:
You can set which server the users are allowed to log on to. Open ADUC - properties of the user object - Account tab - Log On To... button. Add the host name of the allowed server.

AD is read for authenticated users, so you can't stop them for lurking in your AD.

You can lock them down a little with GPOs, but how far you wanna go is up to you :)

abbrightConnect With a Mentor Commented:
When you create the users in your domain they are implicit members of "domain users" and therefore have access to all resources this group is authorized.
A somewhat bigger / more secure solution is to create a separate domain and create a trust relationship to your primary domain. When you configure it for "selective authentication" for the trust relationship you can decide very granulary what resources these users have access to. For a first start regarding this please check out this link:
If you have additional questions please don't hesitate to ask.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

DanNetwork EngineerAuthor Commented:
Thanks everyone, I have added the server  in the account tab to whcih I want them to have access to.
But is there  a way for them to not be able to "view" the network and all the different file shares?

Do you have a link of creating a second domain?  Then I'll follow the directions in creating the trust relationship as outlined in the document.
snusgubbenConnect With a Mentor Commented:
If they need access to a server with RDP, it will not help you creating a second domain with a trust.

If you just want them to access the server with RDP, you can create a new group, ie. "ExternalUsers" and add those external users to this group.

Set the "ExternalUsers" group as members of the Remote Desktop Users on the server. Add those users to the Domain Guests (AD group) and set this as the primary group.

Now you can remove them from the Domain Users (AD Group) if you are worried they will get access to resources set to domain users.

They will still be able to browse file shares and your AD.
DanNetwork EngineerAuthor Commented:
creating a 2nd domain seems a bit over kill I suppose, I don't think I have the time to look into that now. So by adding them to only ExternalUsers, lets say, and removing them from the domain users group, they will still have access browse network  locations?
KatastrofConnect With a Mentor Commented:
Create a new group in AD and give it the permissions you want with group policy.  Take the users out of every other group they are in and add them to the new one.

You could always make another group and DENY them privileges to the servers you don't want them to get access to, but that can get confusing if someone accidentally slips into the group.
it could be faster/easier to copy the current domain users group and edit it then change the user's membership to the new one.
DanNetwork EngineerAuthor Commented:
how would I do that, how do I copy the current domain users group?  

Wouldn't be better to just create a new group, so start fresh so they don't have any access what so ever?
SommerblinkConnect With a Mentor Commented:
Regarding This Response

Browsing your network is a byproduct of having NetBIOS enabled on your network. Disabling NetBIOS will solve your browsing problem.... but for everyone, period.

As far as removing the icon for browsing your network, please see this.

As a matter of network policy, regarding NetBIOS (personal opinion alert!): Unless the NetBIOS protocol is required by some piece of software (very few programs these days do), I disable NetBIOS on all network interfaces.

This solves users browsing the network completely. As far as the 'convenience' that browsing gives your users... this is false. You should provide either UNC shortcuts on the desktop (or a folder on the desktop) or mapped drives. Users should never be required to manually seek out resources. They should be provided automagically by an administrator.
DanNetwork EngineerAuthor Commented:
Yea, but the only problem is that users that I'm tyring to not allow to browse the network are not in my domain, they are external users, using VPN to get access to my network, so I don't control or manage their PCs.
DanNetwork EngineerAuthor Commented:
Thanks everyone for your input.  I've only given the users access to my terminal server in AD.  Then I've put all of them in a group, and removed the default domain users group.

For only 7 users, it's to much of a hassle to create another domain, as I can't control their netBIOS settings anyways.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.