I am fairly new to Active Directory and this may be a simple thing to do but I am unsure of how to do it.
I have a Organizational Unit in my AD named WI, in that OU I have 2 groups WI Users and WI Administrators, I also have a few users and two RD Session Host Servers in the OU also. There are also other users and computes in other OUs
Here are the basic rules of what I want to do:
- Any user in any OU that is a member of
WI Usersgroup is allowed to log remotely in as a standard user to the computers in theWIOU. - Any user in any OU that is a member of the
WI Administratorsgroup will be a member of the localAdministratorsgroup on the computers in theWIOU. - Any user in the
WIOU will not be allowed to connect to any resource (computer, printer, share, ect.) outside of theWIOU.
I have figured out how to do everything except rule 3 using AD and Group Policies. What kind of Group Policy do I need to be able to fulfill that third rule?
Currently all I am doing is not adding any users from the WI OU to the domain level Remote Desktop Users group and adding WI Users to the local Remote Desktop Users for the computers in the WI OU. However, what I wrote in rule 3 is my true goal I want to deny network share and printer access too, but I can not just set WI Users as Deny in the GPO as people ouside of the WI OU will be a member of the WI Users group.
Best Answer
You would need to remove
'Domain Users'or'Authenticated Users'from each resource you want them to not have access to, and add the OU for groups that you do want to have access to it. Unfortunately, there is not a single method for removing permissions for local log on, share access, and printers.computer config->windows settings->security settings->local policies->user rights assignmentallow local logon and access this computer from the network and their deny counterparts are the settings that control who can get in.