Avatar of JBrIT
JBrITFlag for United Kingdom of Great Britain and Northern Ireland asked on

AD User permissions across multiple sites

It's good to be back on this site!

I've been administering multiple users who move across multiple sites. The time has come for some security lockdowns.

How, within AD, GPO's etc. can I perform, for example, the following: (its more the method I need).

We have:
Site 1 and Site 2
Computer 1 and Computer 2
User A and User B

Assuming Computers 1 and 2 are different machines at each site, so 4 machines in total. Users move between physical sites.

On Site 1, User A is permitted CD-Rom drive access on Computer 1 but not computer 2, User B isn't permitted CD-Rom drive access on any computer on Site 1.

On Site 2, User A needs to be denied CD-Rom drive access on Computer 1 and Computer 2 but User B needs access to CD-Rom drives on both PC 1 and 2.

What's the best way to implement Group Policy to get through this minefield of permissions please?
Active DirectoryWindows 7Windows Server 2008

Avatar of undefined
Last Comment
Sandesh Dubey

8/22/2022 - Mon
Raj-GT

I would recommend a third party product like GFI EndPointSecurity or DeviceLock which will be more robust then using GPOs. While it is possible to use Group Policy Preferences to achieve this (User Configuration > Preferences > Control Panel Settings > Devices > New device > Do not use this device > Device Class: CD-ROM - and target the user/group using item level targeting) it will quickly grow more complex as you add users and PCs to the sites.
Pradeep Dubey

At this point you can create two OU and put User1 in OU1 and User2 in OU2.

Now use the GPO to prevent CD-ROM and apply to OU1 but not in OU2.

In this way you have to select proper permission like you explain above.

UserA and User B are in different OU's so GPO will be handle this easily.

for GPO related answer see the other EE question given below:
https://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/Q_24600858.html
ASKER
JBrIT

Hi, thanks for both suggestions.

pradeep08_81: That would work, but what happens when User A needs access to CD-rom on another Computer at the same Site and OU1 is preventing it? We don't have the resources to start moving users between OU's as and when they move about.

We're looking for a method using AD so that it almost manages itself. User A on Computer 1 cannot access X, but when he moves on to Computer 2, he can access X.

And Raj-GT, thanks. I'll take a look at the 3rd party software. Problem is, in my industry, getting third-party software authorised could be tricky. But i'll try it none the less!
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
Sandesh Dubey

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question