AD User permissions across multiple sites
It's good to be back on this site!
I've been administering multiple users who move across multiple sites. The time has come for some security lockdowns.
How, within AD, GPO's etc. can I perform, for example, the following: (its more the method I need).
We have:
Site 1 and Site 2
Computer 1 and Computer 2
User A and User B
Assuming Computers 1 and 2 are different machines at each site, so 4 machines in total. Users move between physical sites.
On Site 1, User A is permitted CD-Rom drive access on Computer 1 but not computer 2, User B isn't permitted CD-Rom drive access on any computer on Site 1.
On Site 2, User A needs to be denied CD-Rom drive access on Computer 1 and Computer 2 but User B needs access to CD-Rom drives on both PC 1 and 2.
What's the best way to implement Group Policy to get through this minefield of permissions please?
I've been administering multiple users who move across multiple sites. The time has come for some security lockdowns.
How, within AD, GPO's etc. can I perform, for example, the following: (its more the method I need).
We have:
Site 1 and Site 2
Computer 1 and Computer 2
User A and User B
Assuming Computers 1 and 2 are different machines at each site, so 4 machines in total. Users move between physical sites.
On Site 1, User A is permitted CD-Rom drive access on Computer 1 but not computer 2, User B isn't permitted CD-Rom drive access on any computer on Site 1.
On Site 2, User A needs to be denied CD-Rom drive access on Computer 1 and Computer 2 but User B needs access to CD-Rom drives on both PC 1 and 2.
What's the best way to implement Group Policy to get through this minefield of permissions please?
Raj-GT
I would recommend a third party product like GFI EndPointSecurity or DeviceLock which will be more robust then using GPOs. While it is possible to use Group Policy Preferences to achieve this (User Configuration > Preferences > Control Panel Settings > Devices > New device > Do not use this device > Device Class: CD-ROM - and target the user/group using item level targeting) it will quickly grow more complex as you add users and PCs to the sites.
At this point you can create two OU and put User1 in OU1 and User2 in OU2.
Now use the GPO to prevent CD-ROM and apply to OU1 but not in OU2.
In this way you have to select proper permission like you explain above.
UserA and User B are in different OU's so GPO will be handle this easily.
for GPO related answer see the other EE question given below:
https://www.experts-exchange.com/questions/24600858/How-to-disable-enable-CD-ROM-by-Group-Policy.html
Now use the GPO to prevent CD-ROM and apply to OU1 but not in OU2.
In this way you have to select proper permission like you explain above.
UserA and User B are in different OU's so GPO will be handle this easily.
for GPO related answer see the other EE question given below:
https://www.experts-exchange.com/questions/24600858/How-to-disable-enable-CD-ROM-by-Group-Policy.html
ASKER
Hi, thanks for both suggestions.
pradeep08_81: That would work, but what happens when User A needs access to CD-rom on another Computer at the same Site and OU1 is preventing it? We don't have the resources to start moving users between OU's as and when they move about.
We're looking for a method using AD so that it almost manages itself. User A on Computer 1 cannot access X, but when he moves on to Computer 2, he can access X.
And Raj-GT, thanks. I'll take a look at the 3rd party software. Problem is, in my industry, getting third-party software authorised could be tricky. But i'll try it none the less!
pradeep08_81: That would work, but what happens when User A needs access to CD-rom on another Computer at the same Site and OU1 is preventing it? We don't have the resources to start moving users between OU's as and when they move about.
We're looking for a method using AD so that it almost manages itself. User A on Computer 1 cannot access X, but when he moves on to Computer 2, he can access X.
And Raj-GT, thanks. I'll take a look at the 3rd party software. Problem is, in my industry, getting third-party software authorised could be tricky. But i'll try it none the less!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.