Link to home
Start Free TrialLog in
Avatar of Darrin Crawford
Darrin Crawford

asked on

GPO - Only allow computers/users access who are on Domain

I am trying to setup a policy to restrict:-

Computers - only allow those that have joined the domain access to network/internet

Users - restrict access to network/internet to those only on Domain.

Not sure if this is possible on GPO - or 3rd party software is required.
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
That would be done on a network level, wouldn't it?
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Ah Radius, it's a radius server I believe you need.
Avatar of Abhilash Pappiyil
Abhilash Pappiyil
Flag of India image
Hi,

GPOs are using to manage the AD joined computers and AD users. You will not be able to manage work group computers/users using GPOs. You may need to use proxy application or network devices for authorization to restrict network and internet access.

Thanks,
Avatar of Kimputer
Kimputer
Most simple way to "fool" non-tech users, use your DHCP server to give out "normal" IP nr (with wrong DNS/gateway) to unknown MAC, have known PC's (domain joined) reserved by MAC with the correct DNS/gateway
Obviously, tech savvy ppl will compare IP info with "working" PC's to solve it.
But obviously, doesn't cost you a thing.
ASKER CERTIFIED SOLUTION
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Another great link here

https://www.thesecurityblogger.com/why-migrate-from-cisco-nac-appliance-to-ise/

ISE is another way of doing it, I believe it superseded NAC
Avatar of Mark Bill
Mark Bill
Flag of Ireland image
Use network level/radius/3rd party programs to achieve this.
This can be done by AD group membership this way.
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
Well, you'll need an active directory reference point but it's still done on a network level.
SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Alex
Alex
Flag of United Kingdom of Great Britain and Northern Ireland image
That won't stop people accessing the network and running things against it.
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image
Hence why I said
domain-joined resources