We have 70+ PCs and servers, users access files by accessing the servers from their PCs.
Is it possible to deny access to all PCs and servers on a network for a guest user (he should only have access to his computer) from active directory or group policy.
I've read some articles which suggest denying access from the file share – going to each file share and denying access – since we have many computers and many file shares this will take a long time, is there any quicker way to do this?
We are running server 2008.
If anyone can offer any advice or direct me on the right path I'd greatly appreciate it.
Best Answer
Assuming you have not granted the Everyone object access to any resources, you can just make a local account on the computer(s) that the guest will use. They log on to the computer(s) with that account, and they have not even logged on to the domain, so by default they have no access to any domain resources.
If you must use a domain account, create a brand new domain account and create a new domain security group (you could call it something like "Guest Users") for that account to be in. Add the account to the group, set the new group as the user's primary group, and then remove the user from the Domain Users group. Now the user should have access to nothing on the domain, assuming again that you have not granted access to anything for the Everyone object, because no one could have granted access to anything in the past for a brand new user or group.
If you have granted access to anything for Everyone, or you have reason to think that Everyone might have any access rights to any resources, then you have to run that down and correct it. One object that you can almost always get away with using as a replacement for Everyone is Domain Users, because in general, every domain account is a member of Domain Users (unless the account has been specifically removed, as described above). Note that you should not change permissions to resources that your users are using during business hours, as they are likely to be denied access by your changes until the next time they log on and get a security token. Ideally, you would have some experienced consultants on-hand to help you with this kind of permissions change, since it's very possible to accidentally either deny users access to important resources or grant users access to confidential information.
If the computer(s) will never be used by full staff to need domain access, you can dedicate the computer(s) to guest access and not even join them to the domain. Finally, the ultimate separation for guests would be for the computer(s) in question to be on a separate network or VLAN from the domain computers, possibly sharing internet through a firewall with multiple physical or virtual interfaces, or even with a separate, dedicated firewall and internet connection.