Solved

SBS 2011 Block Specific User Account

Posted on 2014-02-18
6
324 Views
Last Modified: 2014-02-28
I have a simple request from a customer.  They're running Small Business Server 2011 and are having a problem with a domain admin getting into the server.  To detour additional conflict they have asked me to block their account from accessing the server.  How would I do this?  I figured it would probably be a GPO of some sort but can I do this on the local level to block a domain account.  They're logging in both locally and remotely.

Thanks.
0
Comment
Question by:TripapHoniC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39869639
you can disable the account, change the password .... easier to just disable the account in aduc
0
 

Author Comment

by:TripapHoniC
ID: 39874248
Thanks David but this is an active user.  I cannot disable his account.  I need to prevent him from logging into the server but still allow him access to everything else.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39878728
aving a problem with a domain admin getting into the server

remove the user from the domain administrator security group
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Accepted Solution

by:
TripapHoniC earned 0 total points
ID: 39881697
Again, thanks David.  Unfortunately this issue wasn't as easy as the obvious.  

I ended up pushing out a GPO with specific user groups ONLY allowed to log in locally.  Basically an explicit deny to logon locally.  It worked.

Thanks.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 39890156
You do realize that this user can disable that GPO without logging onto the server itself?  Giving them the ability to bypass your fix?

Just want you to be aware of that -- because it really isn't a proper solution.

Why is the user a domain administrator in the first place?  The only need to have a person in that group is to give them access to log onto the server.  If they manage something else in the network, you can grant specific access to whatever it is they need to do without compromising the full security of your domain -- which is exactly what you are doing.

Jeff
0
 

Author Closing Comment

by:TripapHoniC
ID: 39894352
No tangible answer offered for question.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question