Windows 2008 and Windows 2003 envir. We got the request to block one group (40 members) to access any shares on our network. Is there a better way to do this instead of going to every server and deny this group for every share? Thank you.

Hello, if your share and ntfs permissions are configured with security groups that allow only the users that should have access you are done. So please describe how your share and ntfs permissions are set in detail.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

You can apply a group policy to the servers and add the group to be blocked to the policy "Deny access to this computer from the network" located in "Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment" Deny will always take precedence over allow so even if members of this group are allowed access to shares or files through other memberships they will be denied.

Hi Meinolf, Most shares we assign everyone and authenticated users full access unfortunately. Thanks.

Hi Erik, I think your way is much better. Thank you.

Hi Erik, I think your way is much better. Thank you. Hello, working with DENY is the badest option you can choose. DENY is the last option to choose, especially in your setup where NONE configurationis done. Prepare security groups that should have NTFS permissions on the folders and add the correct user accounts to this groups. That way NO DENY is needed and keeps the setup manageable.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

You can apply a group policy to the servers and add the group to be blocked to the policy "Deny access to this computer from the network" located in "Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment" Deny will always take precedence over allow so even if members of this group are allowed access to shares or files through other memberships they will be denied. Hello Erik, recommending DENY is a not recommended solution, it may be easy BUT result in multiple problems if admins changes and also if this settings are not documented correct. Please do not recommend this settings as the correct way for shares is to use security groups with NTFS permissions that define what is allowed and so NO DENY is needed on whatever level.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Hi Meinolf I'm glad to hear you are passionate about your ways, but that does not mean everyone has to agree. I can not assume that others do not ducument their solutions and therefore not suggest working solutions. Using Deny can be useful and is even mentioned in Microsoft's own best practices for setting permissions. The below link is for 2003, I admit, but persmissions have not changed radically since then. http://technet.microsoft.com/en-us/library/cc779601(WS.10).aspx