Announcement

Collapse
No announcement yet.

Limit AD users login to a single application

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Limit AD users login to a single application

    Hi everybody
    i'm tryin to find the best solution to a security concern.. i'll explain
    Our active directory domain has a group of users who only need access from the internet to one or more applications (tipically exchange mailbox and/or sharepoint) and will never connect to local network, authenticate on a domain computer, or access a file share.
    They will only need to login to the applications, but since those apps need domain users i have these accounts in AD and i want to limit them, based on the least privilege principle.
    The external users are the ones i have less control on, and i want their accounts to be completely useless if stolen, for anything else than logging onto those apps

    I have considered using the "Log On to" feature in the account configuration, pointing to a single, disconnected computer, but it does not convince me

    Do you have any suggestions? i think i'm not the first to have this concern, but i could not find any real answer on the forums

    thanks a lot!

  • #2
    I haven't dealt with this specific situation.You could try removing a user from Domain Users and see if the applications still function properly. If they do function properly then that would be the easiest.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Thanks for your reply Jeremy
      i tried to do as suggested, removing the account from the Domain Users group (to do so you need to assign the user another group membership as "Primary")
      Once removed from Domain Users the account is still able to log in to the application, but also able to logon to any workstation.

      I checked the default permission assigned from the local group Users (in the Local Users and groups setup in Windows management) and when the computer is part of the domain three groups are automatically added:
      DOMAIN\Domain Users
      NT AUTHORITY\Authenticated Users (S-1-5-11)
      NT AUTHORITY\INTERACTIVE (S-1-5-4)

      Since the user is not part of the first group, i guess it's allowed to logon through the second one. I can see the group in AD but not the contained members, it is probably dynamic somehow

      Any other idea?

      Comment


      • #4
        Ah yes, didn't realize that Authenticated Users were part of the local Users group. Authenticated Users is a special identity and you cannot control its membership. More info: https://technet.microsoft.com/en-us/...(v=ws.11).aspx

        So in your situation you can use Group Policy to configure the Deny logon locally to prevent users and groups from logging on: https://technet.microsoft.com/en-us/.../cc957048.aspx

        Let us know if that works for you.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment

        Working...
        X