How do I deny rights to outside users accessing our network?

Active Directory
Active Directory security
Group Policy
I’ve just recently started a new job in a company with an existing 2K3 AD setup. The company started small, and has grown rapidly. During the earlier stages, security and ACLs were fairly relaxed, with the default fairly “wide-open” browse access to drives, folders etc. for Domain Users left as is, as users were all company employees – only select folders (e.g. HR department, senior admin etc.) have inheritance deliberately broken, and effectively “deny” rights imposed. We’re now into a situation where some outside consultants need periodic access to files (not apps) on our network. The intent is to allow them in via AD (they already have accounts [and separate groups] for when they work onsite), but to limit what they can actually see/browse, to one key share out of many located across 20 servers – in other words, deny ‘em everything except access to “Common”. The thought of having to march across the LAN & WAN every time there’s a change like this makes me shudder. I’m thinking this has to be a great job for a script, but don’t know where to start. Can you help point me in the right direction?

Answer Wiki

Thanks. We'll let you know when a new response is added.

the best way for this is to setup the contractors in a security group, then give that group access to only the shares they need. You also need to tighten down the security of the rest of the network so that you are NOT using the everyone group or the domain users group to give access to everyone. If you have a network share that is for quotes and usually everyone has access to it then you create a QUOTES group, (or something similar), and give access to the share to the QUOTES group instead of the Domain Users or Everyone group. You have a lot of work ahead of you to clean up what was originally created but in the end it will work out right.

A full network security audit is going to be your first job in this project. Before you can start cleaning up the rights you’ll need to find out what everyone needs access to, re-grant those rights without using the everyone account (or domain users) then grant the consultants the rights that they need.

Discuss This Question: 3  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • RBerube
    Good answer, as far as it goes... And I agree, there are are number of tools to help build a report on security holes. However, based on careful reading of the question, I believe the writer is looking for help with scripting (perhaps using PowerShell? or a third-party package?) to help automate a huge job... I'm curious also...
    10 pointsBadges:
  • Denny Cherry
    After the initial work of finding out who needs access to what and the domain groups are setup, while this could be automated, unless there are dozens of servers and hundreds of network shares more time will probably be spend writing the script than would be spent manually configuring the network share permissions.
    69,065 pointsBadges:
  • Wrobinson
    Remove the everyone group from network resources.
    5,625 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: