domain users force only local server access

[m0rk]

Is it possible to secure specific domain users/machines on a remote site
to only have access to that sites local resources and nowhere else on
the wan, problem being domain users group is used all over the place for
initial list/read access?

The users are not employees but clients of ours - this remote office
needs them to use their local resources but doesnt want the users to
have any other domain access.

They are to use the local file server, the internet but not the intranet
which is generally available to all as a home page group policy at
highest default domain policy level ....

Other than creating a new group such as Untrusted Domain Users and going
from there im not sure where to start .... any pointers?

 

[Steven L Umbach]

You can restrict computers using ipsec policies. Ipsec is a relatively
complex topic and domain controllers need to be exempt from any policy to
make sure ipsec is not attempted for communications between domain computer
and domain controllers. The link below explains how MS uses ipsec for domain
isolation.

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

Otherwise do as you are suggesting and put those users into a global group
and give that global group user right for "deny access this computer from
the network" [see link below] to network computers you do not want them to
access. However make sure they do not have that deny user right for any
domain controllers or else authentication and Group Policy problems can
result. --- Steve

http://www.microsoft.com/technet/pr...elp/7aca1280-42cd-4511-93df-d95bd748d979.mspx