How to Restrict network shares access for a specific domain user in all computer except a one specific computer in a Domain Environment ?

Researcher 6 Reputation points
2022-08-20T09:53:39.497+00:00

I have this requirement where: There is a particular domain User "Superuser1" in my AD Domain Controller for whom I want to set this below rules:
Block access to network drives (network shares) and shared folders for this User on all workstations and allow access to the same share on a particular Workstation
For example: Block network access for Superuser1 from all PCs connected to domain except one specific PC.
This is required because the "Superuser1" has most privilege for shared folders - So I need to restrict this user account to access network shares from only one computer
There is an option called "Deny access to this computer from the network” - but this limits access to all pc's where this GPO is applied
Is there any possible way to implement this using GPO? If not is there any other method to do this?
I tried to find answer to this but couldn’t find a match. Please help. Any suggestions are appreciated

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,000 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Gary Reynolds 9,396 Reputation points
    2022-08-21T19:01:53.913+00:00

    Hi

    If you want to allow the 'superuser1' to log on to any workstation but only access the network share from one specific workstation, then I'm not aware of an option to do this.

    If you want to restrict the superuser1 to only log onto to one specific workstation, you could use the "Deny access to this computer from the network” right and apply this policy to all machine except the one the user is allowed to use. In this scenario it would be easier to use the Log on to workstation restrict on the user account.

    233256-image.png

    There isn't an option to use permissions either, a user's access token, which contains the groups they are a member of, is used to grant access to network shares. The workstation or server the user is connecting from is not included in the user's access token. Therefore it's not possible to use permissions to restrict access from a specific machine using permissions.

    Probably the better option is to implement a delegation model, and separate the permissions required by the user to do their job function, and the elevated privileges required to manage the share and assign these to a separate admin account, which can be restricted separately.

    Gary.

    1 person found this answer helpful.