So i have an odd question. This is to affect thousands of accounts, so it should be easy to unpick.
In a nutshell, I need to come up with a viable solution to lock down user accounts to only a couple of dedicated systems and web sites. ie email etc.
The users come in over VPN, and usually have loads of memberships in AD. I assume, that the user policies apply after the VPN has authenticated the user - am getting verification on that piece.
My thinking, was to inject an attribute to the AD accounts affected, and using MIM, find that attribute, and move the user to a new OU, that has disabled inheritance, with a unique policy applied that locks down certain apps from running, only allow a subset or URL's they can run, disable all network shares access etc.
Do you think this would work?
OR
Does anyone maybe have a simpler process i can look into. Again, this is temporary, and need to be able to undo it easily.... we are talking around 22,000 accounts.
Hey guys,
So i have an odd question. This is to affect thousands of accounts, so it should be easy to unpick.
In a nutshell, I need to come up with a viable solution to lock down user accounts to only a couple of dedicated systems and web sites. ie email etc.
The users come in over VPN, and usually have loads of memberships in AD. I assume, that the user policies apply after the VPN has authenticated the user - am getting verification on that piece.
My thinking, was to inject an attribute to the AD accounts affected, and using MIM, find that attribute, and move the user to a new OU, that has disabled inheritance, with a unique policy applied that locks down certain apps from running, only allow a subset or URL's they can run, disable all network shares access etc.
Do you think this would work?
OR
Does anyone maybe have a simpler process i can look into. Again, this is temporary, and need to be able to undo it easily.... we are talking around 22,000 accounts.
Appreciate any thoughts / ideas.
Share this post
Link to post
Share on other sites