Solved

Group Policy denying access to other network resources

Posted on 2014-01-31
4
283 Views
Last Modified: 2014-02-24
Vendor needs access to the internal network remoting into their PC and controller.  Planning to add user to vpn user group on SonicWall then have them Remote Desktop to their PC on our network (other staff needs to access this PC as well that's why it needs to be on the network).

The vendor will only have access to the ip of the PC and controller from the VPN settings but, if they authenticate on the network, they would be able to browse and see other resources, correct so need something to knock that down.

I dont have a vlan setup.  I didnt want to create another domain.  Any recommendations about securing this scenario?
0
Comment
Question by:cobmo
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:Ryan Lanham
ID: 39825257
By network resources are you talking about shared drives? If so you should have permissions already defined in NTFS. Just ensure that the account you are using does not have access / membership to those groups. If you are using network resources / sharing drive and just giving it to Domain Users you will need to create a new Group Policy  and Corresponding OU. Perhaps crate a new OU in AD called Vendors and apply the GPO.
0
 

Author Comment

by:cobmo
ID: 39825276
Not just shares but the ability to browse or access any other PCs, servers, shares, etc OTHER than the PC and controller he needs to see.

Its different than having an EMPLOYEE vpn into their desktop.  This is an unwanted person and trying to accomodate accordingly.  Normally we would have an employee initiate a remote desktop session with vendor and then they would take them to the source.  This is different.  They are asking for 24/7 access to their PC on our network.  I would never allow any such thing but dont really have a choice.
0
 
LVL 3

Accepted Solution

by:
Ryan Lanham earned 500 total points
ID: 39825294
I would still consider a separate OU in AD and apply custom Group Policies restricting the access. Create the OU, block inheritance / remove links to any higher up GPO's such as your Default Domain Policy if thats where your mapped drives are stored. Then setup a new Policy in which you restrict network browsing:

User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

These three specifically:

No Computers Near Me in Network Locations
No Entire Network in Network Locations
Remove Map Network Drive and Disconnect Network Drive
0
 

Author Comment

by:cobmo
ID: 39835790
Is it possible to leave their PC in a "Workgroup" so that it wouldnt require a domain user account and gpo?  Using the gpo and user account Im ok on the PC but what about the controller device that uses a browser interface to connect?  Is the an exclusion list in the GPO that would allow the PC to then access the controller?
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question