Darrin Crawford
asked on
GPO - Only allow computers/users access who are on Domain
I am trying to setup a policy to restrict:-
Computers - only allow those that have joined the domain access to network/internet
Users - restrict access to network/internet to those only on Domain.
Not sure if this is possible on GPO - or 3rd party software is required.
Computers - only allow those that have joined the domain access to network/internet
Users - restrict access to network/internet to those only on Domain.
Not sure if this is possible on GPO - or 3rd party software is required.
That would be done on a network level, wouldn't it?
Ah Radius, it's a radius server I believe you need.
Hi,
GPOs are using to manage the AD joined computers and AD users. You will not be able to manage work group computers/users using GPOs. You may need to use proxy application or network devices for authorization to restrict network and internet access.
Thanks,
GPOs are using to manage the AD joined computers and AD users. You will not be able to manage work group computers/users using GPOs. You may need to use proxy application or network devices for authorization to restrict network and internet access.
Thanks,
Most simple way to "fool" non-tech users, use your DHCP server to give out "normal" IP nr (with wrong DNS/gateway) to unknown MAC, have known PC's (domain joined) reserved by MAC with the correct DNS/gateway
Obviously, tech savvy ppl will compare IP info with "working" PC's to solve it.
But obviously, doesn't cost you a thing.
Obviously, tech savvy ppl will compare IP info with "working" PC's to solve it.
But obviously, doesn't cost you a thing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another great link here
https://www.thesecurityblogger.com/why-migrate-from-cisco-nac-appliance-to-ise/
ISE is another way of doing it, I believe it superseded NAC
https://www.thesecurityblogger.com/why-migrate-from-cisco-nac-appliance-to-ise/
ISE is another way of doing it, I believe it superseded NAC
Use network level/radius/3rd party programs to achieve this.
This can be done by AD group membership this way.
This can be done by AD group membership this way.
Well, you'll need an active directory reference point but it's still done on a network level.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That won't stop people accessing the network and running things against it.
Hence why I said
domain-joined resources