• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 380
  • Last Modified:

AD User permissions across multiple sites

It's good to be back on this site!

I've been administering multiple users who move across multiple sites. The time has come for some security lockdowns.

How, within AD, GPO's etc. can I perform, for example, the following: (its more the method I need).

We have:
Site 1 and Site 2
Computer 1 and Computer 2
User A and User B

Assuming Computers 1 and 2 are different machines at each site, so 4 machines in total. Users move between physical sites.

On Site 1, User A is permitted CD-Rom drive access on Computer 1 but not computer 2, User B isn't permitted CD-Rom drive access on any computer on Site 1.

On Site 2, User A needs to be denied CD-Rom drive access on Computer 1 and Computer 2 but User B needs access to CD-Rom drives on both PC 1 and 2.

What's the best way to implement Group Policy to get through this minefield of permissions please?
1 Solution
Raj-GTSystems EngineerCommented:
I would recommend a third party product like GFI EndPointSecurity or DeviceLock which will be more robust then using GPOs. While it is possible to use Group Policy Preferences to achieve this (User Configuration > Preferences > Control Panel Settings > Devices > New device > Do not use this device > Device Class: CD-ROM - and target the user/group using item level targeting) it will quickly grow more complex as you add users and PCs to the sites.
Pradeep DubeyConsultantCommented:
At this point you can create two OU and put User1 in OU1 and User2 in OU2.

Now use the GPO to prevent CD-ROM and apply to OU1 but not in OU2.

In this way you have to select proper permission like you explain above.

UserA and User B are in different OU's so GPO will be handle this easily.

for GPO related answer see the other EE question given below:
JBrITAuthor Commented:
Hi, thanks for both suggestions.

pradeep08_81: That would work, but what happens when User A needs access to CD-rom on another Computer at the same Site and OU1 is preventing it? We don't have the resources to start moving users between OU's as and when they move about.

We're looking for a method using AD so that it almost manages itself. User A on Computer 1 cannot access X, but when he moves on to Computer 2, he can access X.

And Raj-GT, thanks. I'll take a look at the 3rd party software. Problem is, in my industry, getting third-party software authorised could be tricky. But i'll try it none the less!
SandeshdubeySenior Server EngineerCommented:
You can apply the policy at computer level and apply two GP template one enable and second disable.Apply the security filtering in scope tab of policy add the users/groups as per requirement.http://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx

Site1 Computer
CD-Rom drive GP Template enable....add the user of site1 .Eg UserA
CD-Rom driveGP Template disable... add users of site2 .Eg UserB

Site2 Computer
CD-Rom drive GP Template enable....add the user of site1 .Eg UserB
CD-Rom drive GP Template disable... add users of site2 .Eg UserA
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now