Link to home
Get AccessLog in
Avatar of JBrIT
JBrITFlag for United Kingdom of Great Britain and Northern Ireland

asked on

AD User permissions across multiple sites

It's good to be back on this site!

I've been administering multiple users who move across multiple sites. The time has come for some security lockdowns.

How, within AD, GPO's etc. can I perform, for example, the following: (its more the method I need).

We have:
Site 1 and Site 2
Computer 1 and Computer 2
User A and User B

Assuming Computers 1 and 2 are different machines at each site, so 4 machines in total. Users move between physical sites.

On Site 1, User A is permitted CD-Rom drive access on Computer 1 but not computer 2, User B isn't permitted CD-Rom drive access on any computer on Site 1.

On Site 2, User A needs to be denied CD-Rom drive access on Computer 1 and Computer 2 but User B needs access to CD-Rom drives on both PC 1 and 2.

What's the best way to implement Group Policy to get through this minefield of permissions please?
Avatar of Raj-GT
Flag of United Kingdom of Great Britain and Northern Ireland image

I would recommend a third party product like GFI EndPointSecurity or DeviceLock which will be more robust then using GPOs. While it is possible to use Group Policy Preferences to achieve this (User Configuration > Preferences > Control Panel Settings > Devices > New device > Do not use this device > Device Class: CD-ROM - and target the user/group using item level targeting) it will quickly grow more complex as you add users and PCs to the sites.
At this point you can create two OU and put User1 in OU1 and User2 in OU2.

Now use the GPO to prevent CD-ROM and apply to OU1 but not in OU2.

In this way you have to select proper permission like you explain above.

UserA and User B are in different OU's so GPO will be handle this easily.

for GPO related answer see the other EE question given below:
Avatar of JBrIT


Hi, thanks for both suggestions.

pradeep08_81: That would work, but what happens when User A needs access to CD-rom on another Computer at the same Site and OU1 is preventing it? We don't have the resources to start moving users between OU's as and when they move about.

We're looking for a method using AD so that it almost manages itself. User A on Computer 1 cannot access X, but when he moves on to Computer 2, he can access X.

And Raj-GT, thanks. I'll take a look at the 3rd party software. Problem is, in my industry, getting third-party software authorised could be tricky. But i'll try it none the less!
Avatar of Sandesh Dubey
Sandesh Dubey
Flag of India image

Link to home
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access