Re: removing user from domain users group doesn't help



Steven L Umbach wrote:
What I would do is to give that global group deny access this computer from the network user right in Domain Security Policy. Then move the server that has the share they need to access into a OU with a Group Policy linked to it configured with the deny user right for access this computer from the network defined but to not include that group. Then users in that group can only access shares on that server. If the server has more than one share give that group deny permissions for other shares on that server. It is also possible to prevent users that logon to non domain computers to not be able to access domain computers [other than domain controllers] that have a require ipsec policy. If you consider ipsec be sure to read the documentation on ipsec first and be sure to exempt domain controllers from request/require ipsec policies by adding their IP address to a filter list that is in a rule that has permit filter action. --- Steve


Thanks for the advice. Steven

OM
.



Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)
  • Re: lan ipsec ws2003 / xp pro deplyoyment
    ... Remote Access on the server and configure it and then configure your XP computer to ... preshared key for machine authentication. ... If you use ipsec pre shared key [policy/all ... You could go to Local Security Policy of each ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IPSEC Problems
    ... You may want to try and rebuild the ipsec policy. ... ipsec negotiation traffic between domain members and domain controllers as ... > this server and any communication was shown correctly in ipsecmon. ...
    (microsoft.public.windows.server.security)
  • Re: IPSec Policy Doesnt Really Block
    ... Group Policy would be one way to apply ipsec policies. ... by now I would double check the dns configuration on that server making sure it ... >> where specific filters override general filters where there is a conflict. ...
    (microsoft.public.win2000.networking)