Limit AD users login to a single application

Home Forums Microsoft Networking and Management Services Active Directory Limit AD users login to a single application

This topic contains 3 replies, has 2 voices, and was last updated by  Gibit 1 year, 5 months ago.

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts

  • Gibit
    Member
    #167099

    Hi everybody
    i’m tryin to find the best solution to a security concern.. i’ll explain
    Our active directory domain has a group of users who only need access from the internet to one or more applications (tipically exchange mailbox and/or sharepoint) and will never connect to local network, authenticate on a domain computer, or access a file share.
    They will only need to login to the applications, but since those apps need domain users i have these accounts in AD and i want to limit them, based on the least privilege principle.
    The external users are the ones i have less control on, and i want their accounts to be completely useless if stolen, for anything else than logging onto those apps

    I have considered using the “Log On to” feature in the account configuration, pointing to a single, disconnected computer, but it does not convince me

    Do you have any suggestions? i think i’m not the first to have this concern, but i could not find any real answer on the forums

    thanks a lot!


    JeremyW
    Moderator
    #271537

    I haven’t dealt with this specific situation.You could try removing a user from Domain Users and see if the applications still function properly. If they do function properly then that would be the easiest.


    Gibit
    Member
    #305240

    Thanks for your reply Jeremy
    i tried to do as suggested, removing the account from the Domain Users group (to do so you need to assign the user another group membership as “Primary”)
    Once removed from Domain Users the account is still able to log in to the application, but also able to logon to any workstation.

    I checked the default permission assigned from the local group Users (in the Local Users and groups setup in Windows management) and when the computer is part of the domain three groups are automatically added:
    DOMAINDomain Users
    NT AUTHORITYAuthenticated Users (S-1-5-11)
    NT AUTHORITYINTERACTIVE (S-1-5-4)

    Since the user is not part of the first group, i guess it’s allowed to logon through the second one. I can see the group in AD but not the contained members, it is probably dynamic somehow

    Any other idea?


    JeremyW
    Moderator
    #271539

    Ah yes, didn’t realize that Authenticated Users were part of the local Users group. Authenticated Users is a special identity and you cannot control its membership. More info: https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx

    So in your situation you can use Group Policy to configure the Deny logon locally to prevent users and groups from logging on: https://technet.microsoft.com/en-us/library/cc957048.aspx

    Let us know if that works for you.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.