SBS 2011 Block Specific User Account

I have a simple request from a customer.  They're running Small Business Server 2011 and are having a problem with a domain admin getting into the server.  To detour additional conflict they have asked me to block their account from accessing the server.  How would I do this?  I figured it would probably be a GPO of some sort but can I do this on the local level to block a domain account.  They're logging in both locally and remotely.

Thanks.
TripapHoniCAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
TripapHoniCConnect With a Mentor Author Commented:
Again, thanks David.  Unfortunately this issue wasn't as easy as the obvious.  

I ended up pushing out a GPO with specific user groups ONLY allowed to log in locally.  Basically an explicit deny to logon locally.  It worked.

Thanks.
0
 
David Johnson, CD, MVPOwnerCommented:
you can disable the account, change the password .... easier to just disable the account in aduc
0
 
TripapHoniCAuthor Commented:
Thanks David but this is an active user.  I cannot disable his account.  I need to prevent him from logging into the server but still allow him access to everything else.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
David Johnson, CD, MVPOwnerCommented:
aving a problem with a domain admin getting into the server

remove the user from the domain administrator security group
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You do realize that this user can disable that GPO without logging onto the server itself?  Giving them the ability to bypass your fix?

Just want you to be aware of that -- because it really isn't a proper solution.

Why is the user a domain administrator in the first place?  The only need to have a person in that group is to give them access to log onto the server.  If they manage something else in the network, you can grant specific access to whatever it is they need to do without compromising the full security of your domain -- which is exactly what you are doing.

Jeff
0
 
TripapHoniCAuthor Commented:
No tangible answer offered for question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.