Re: removing user from domain users group doesn't help



Steven L Umbach wrote:
What I would do is to give that global group deny access this computer from the network user right in Domain Security Policy. Then move the server that has the share they need to access into a OU with a Group Policy linked to it configured with the deny user right for access this computer from the network defined but to not include that group. Then users in that group can only access shares on that server. If the server has more than one share give that group deny permissions for other shares on that server. It is also possible to prevent users that logon to non domain computers to not be able to access domain computers [other than domain controllers] that have a require ipsec policy. If you consider ipsec be sure to read the documentation on ipsec first and be sure to exempt domain controllers from request/require ipsec policies by adding their IP address to a filter list that is in a rule that has permit filter action. --- Steve


Thanks for the advice. Steven

OM
.