AD User permissions across multiple sites

It's good to be back on this site!

I've been administering multiple users who move across multiple sites. The time has come for some security lockdowns.

How, within AD, GPO's etc. can I perform, for example, the following: (its more the method I need).

We have:
Site 1 and Site 2
Computer 1 and Computer 2
User A and User B

Assuming Computers 1 and 2 are different machines at each site, so 4 machines in total. Users move between physical sites.

On Site 1, User A is permitted CD-Rom drive access on Computer 1 but not computer 2, User B isn't permitted CD-Rom drive access on any computer on Site 1.

On Site 2, User A needs to be denied CD-Rom drive access on Computer 1 and Computer 2 but User B needs access to CD-Rom drives on both PC 1 and 2.

What's the best way to implement Group Policy to get through this minefield of permissions please?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Raj-GTSystems EngineerCommented:
I would recommend a third party product like GFI EndPointSecurity or DeviceLock which will be more robust then using GPOs. While it is possible to use Group Policy Preferences to achieve this (User Configuration > Preferences > Control Panel Settings > Devices > New device > Do not use this device > Device Class: CD-ROM - and target the user/group using item level targeting) it will quickly grow more complex as you add users and PCs to the sites.
Pradeep DubeyConsultantCommented:
At this point you can create two OU and put User1 in OU1 and User2 in OU2.

Now use the GPO to prevent CD-ROM and apply to OU1 but not in OU2.

In this way you have to select proper permission like you explain above.

UserA and User B are in different OU's so GPO will be handle this easily.

for GPO related answer see the other EE question given below:
JBrITAuthor Commented:
Hi, thanks for both suggestions.

pradeep08_81: That would work, but what happens when User A needs access to CD-rom on another Computer at the same Site and OU1 is preventing it? We don't have the resources to start moving users between OU's as and when they move about.

We're looking for a method using AD so that it almost manages itself. User A on Computer 1 cannot access X, but when he moves on to Computer 2, he can access X.

And Raj-GT, thanks. I'll take a look at the 3rd party software. Problem is, in my industry, getting third-party software authorised could be tricky. But i'll try it none the less!
SandeshdubeySenior Server EngineerCommented:
You can apply the policy at computer level and apply two GP template one enable and second disable.Apply the security filtering in scope tab of policy add the users/groups as per requirement.

Site1 Computer
CD-Rom drive GP Template enable....add the user of site1 .Eg UserA
CD-Rom driveGP Template disable... add users of site2 .Eg UserB

Site2 Computer
CD-Rom drive GP Template enable....add the user of site1 .Eg UserB
CD-Rom drive GP Template disable... add users of site2 .Eg UserA

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.