Restrict AD users in IP wise

Started by sanjeeme, August 05, 2016, 12:05:30 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sanjeeme

Dear Friends

I want to restrict the AD user id with terminal (IP address wise). We have fully functional Active Directory and now we have security access issue if one AD user log into the different PC other than his one. Then he can view hard drives of particular local PC. Therefore I want to block every AD user login from other PC except his one. I search and try many solution but unable to find proper solution for this matter. Please help me out to solve this problem.

Best Regards

San

DaveLembke

Why not store important data on a server where you can more control of who has permissions to file and folders. Data stored locally is a bad setup. The local system loses its hard drive and a employee loses their work.

Change default save locations to server side storage which is backed up and protected by RAID hopefully.

Restrict access to employees to only access specific computers and perform a script audit that scans the local profile location of a computer such as if XP C:\Documents and Settings or 7 C:\Users etc. Send out a global notice to all employees making them aware of the penalty of logging into anothers computer. Possible Termination of Employment if caught on the wrong computer etc. Have a written policy in place!

*Each user should have a unique user name and password. If they logon to a system that they should not be on you will find fast who it is. They wont have the ability to delete their freshly created profile on the computer they logged into. Your audit will find that someone unauthorized would have a profile on wrong computer. Data that is stored in their profiles with user level permissions will not have access to other local users profile data. Only data out side of the profile storage location could be accessible by others jumping onto unauthorized computers.

If you have a rogue employee that is snooping or a problem, follow the proper means of building a case against them, notify them that they could be terminated as a result of non compliance, and terminate their employment if it leads to that.

If these are laptops in which people need to be able to store data locally and then upload it when at work later I could see a need to have local storage on the laptop for the users. Best method of someone not to have access to the data on that said laptop would be to have a BIOS Password on the laptop. This will require 2 passwords. One for the laptop to boot and the other to logon. If your concerned about someone using a tool on the hard drive to get the data then encrypt the data. Additional means of data protection I have seen are laptop users who use encrypted password protected USB Flash Drives. When the USB stick is inserted into a computer a password is needed to gain access to the data on the thumb drive.

camerongray

You shouldn't really be restricting it like this, half the point of active directory is to allow people to roam between devices.  As Dave said, important data should be stored on a network share that is restricted to each user.  Even if you restrict to IP address there is nothing stopping someone maliciously bypassing the local administrator password or booting the machine into an alternative OS and accessing the files that way.  At least with the files stored safely on a remote machine, people can't easily get physical access to it.  If you must use local storage and can't have people seeing other users files, then the appropriate permissions should be set accordingly on each workstation.