Solved

Group Policy denying access to other network resources

Posted on 2014-01-31
4
281 Views
Last Modified: 2014-02-24
Vendor needs access to the internal network remoting into their PC and controller.  Planning to add user to vpn user group on SonicWall then have them Remote Desktop to their PC on our network (other staff needs to access this PC as well that's why it needs to be on the network).

The vendor will only have access to the ip of the PC and controller from the VPN settings but, if they authenticate on the network, they would be able to browse and see other resources, correct so need something to knock that down.

I dont have a vlan setup.  I didnt want to create another domain.  Any recommendations about securing this scenario?
0
Comment
Question by:cobmo
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:Ryan Lanham
ID: 39825257
By network resources are you talking about shared drives? If so you should have permissions already defined in NTFS. Just ensure that the account you are using does not have access / membership to those groups. If you are using network resources / sharing drive and just giving it to Domain Users you will need to create a new Group Policy  and Corresponding OU. Perhaps crate a new OU in AD called Vendors and apply the GPO.
0
 

Author Comment

by:cobmo
ID: 39825276
Not just shares but the ability to browse or access any other PCs, servers, shares, etc OTHER than the PC and controller he needs to see.

Its different than having an EMPLOYEE vpn into their desktop.  This is an unwanted person and trying to accomodate accordingly.  Normally we would have an employee initiate a remote desktop session with vendor and then they would take them to the source.  This is different.  They are asking for 24/7 access to their PC on our network.  I would never allow any such thing but dont really have a choice.
0
 
LVL 3

Accepted Solution

by:
Ryan Lanham earned 500 total points
ID: 39825294
I would still consider a separate OU in AD and apply custom Group Policies restricting the access. Create the OU, block inheritance / remove links to any higher up GPO's such as your Default Domain Policy if thats where your mapped drives are stored. Then setup a new Policy in which you restrict network browsing:

User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

These three specifically:

No Computers Near Me in Network Locations
No Entire Network in Network Locations
Remove Map Network Drive and Disconnect Network Drive
0
 

Author Comment

by:cobmo
ID: 39835790
Is it possible to leave their PC in a "Workgroup" so that it wouldnt require a domain user account and gpo?  Using the gpo and user account Im ok on the PC but what about the controller device that uses a browser interface to connect?  Is the an exclusion list in the GPO that would allow the PC to then access the controller?
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question