A user recently asked me how to hide a resource, specifically a printer, so that it could only be seen and/or used from certain specific systems rather than by every system in the domain. The question specifically dealt with a printer located in the library that was being used by systems throughout the school. The user wanted to restrict use of the printer to users logged onto computers located in the library.
The answer is simple and obvious, but also obtuse and strange. The answer lies in the structure of Active Directory.
Active Directory manages objects, whether users, computers, resources or whatever using various named containers. The four main containers used by AD are domains, organizational units, sites and forests. For the resolution to this specific resource hiding question, the answer lies in proper use of OUs.
Simply create a new OU within the appropriate domain, such as SpecialSite. Then add or move to it the computer accounts that are located in the special location. Once added, users will need to be logged into those specific computers, i.e. those which are members of the SpecialSite OU, before the resources on those computers can be seen or even accessed.
Other ways to perform similar tasks include:
- Adding a $ to the front of the share name. This hides the share name so it does not appear in a list of resources. Then map links to the resource from the designated systems.
- Use the Interactive user (a built-in
- system-controlled group), to assign use privileges only to the locally logged on account. You must remove all other permissions from the resource in order for this "trick" to function.
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
This was first published in November 2004