Solved

Group Policy denying access to other network resources

Posted on 2014-01-31
4
285 Views
Last Modified: 2014-02-24
Vendor needs access to the internal network remoting into their PC and controller.  Planning to add user to vpn user group on SonicWall then have them Remote Desktop to their PC on our network (other staff needs to access this PC as well that's why it needs to be on the network).

The vendor will only have access to the ip of the PC and controller from the VPN settings but, if they authenticate on the network, they would be able to browse and see other resources, correct so need something to knock that down.

I dont have a vlan setup.  I didnt want to create another domain.  Any recommendations about securing this scenario?
0
Comment
Question by:cobmo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:Ryan Lanham
ID: 39825257
By network resources are you talking about shared drives? If so you should have permissions already defined in NTFS. Just ensure that the account you are using does not have access / membership to those groups. If you are using network resources / sharing drive and just giving it to Domain Users you will need to create a new Group Policy  and Corresponding OU. Perhaps crate a new OU in AD called Vendors and apply the GPO.
0
 

Author Comment

by:cobmo
ID: 39825276
Not just shares but the ability to browse or access any other PCs, servers, shares, etc OTHER than the PC and controller he needs to see.

Its different than having an EMPLOYEE vpn into their desktop.  This is an unwanted person and trying to accomodate accordingly.  Normally we would have an employee initiate a remote desktop session with vendor and then they would take them to the source.  This is different.  They are asking for 24/7 access to their PC on our network.  I would never allow any such thing but dont really have a choice.
0
 
LVL 3

Accepted Solution

by:
Ryan Lanham earned 500 total points
ID: 39825294
I would still consider a separate OU in AD and apply custom Group Policies restricting the access. Create the OU, block inheritance / remove links to any higher up GPO's such as your Default Domain Policy if thats where your mapped drives are stored. Then setup a new Policy in which you restrict network browsing:

User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

These three specifically:

No Computers Near Me in Network Locations
No Entire Network in Network Locations
Remove Map Network Drive and Disconnect Network Drive
0
 

Author Comment

by:cobmo
ID: 39835790
Is it possible to leave their PC in a "Workgroup" so that it wouldnt require a domain user account and gpo?  Using the gpo and user account Im ok on the PC but what about the controller device that uses a browser interface to connect?  Is the an exclusion list in the GPO that would allow the PC to then access the controller?
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question