I am fairly new to Active Directory and this may be a simple thing to do but I am unsure of how to do it.
I have a Organizational Unit in my AD named WI
, in that OU I have 2 groups WI Users
and WI Administrators
, I also have a few users and two RD Session Host Servers in the OU also. There are also other users and computes in other OUs
Here are the basic rules of what I want to do:
- Any user in any OU that is a member of
WI Users
group is allowed to log remotely in as a standard user to the computers in theWI
OU. - Any user in any OU that is a member of the
WI Administrators
group will be a member of the localAdministrators
group on the computers in theWI
OU. - Any user in the
WI
OU will not be allowed to connect to any resource (computer, printer, share, ect.) outside of theWI
OU.
I have figured out how to do everything except rule 3 using AD and Group Policies. What kind of Group Policy do I need to be able to fulfill that third rule?
Currently all I am doing is not adding any users from the WI
OU to the domain level Remote Desktop Users
group and adding WI Users
to the local Remote Desktop Users
for the computers in the WI
OU. However, what I wrote in rule 3 is my true goal I want to deny network share and printer access too, but I can not just set WI Users as Deny
in the GPO as people ouside of the WI
OU will be a member of the WI Users
group.
Best Answer
You would need to remove
'Domain Users'
or'Authenticated Users'
from each resource you want them to not have access to, and add the OU for groups that you do want to have access to it. Unfortunately, there is not a single method for removing permissions for local log on, share access, and printers.computer config->windows settings->security settings->local policies->user rights assignment
allow local logon and access this computer from the network and their deny counterparts are the settings that control who can get in.