Jump to content
Welcome to our new Citrix community!

Deny Access for specific group


HUSSEIN HAWARY

Recommended Posts

You could also create filters within the LDAP policy. So users not belonging to a certain group won't be able to log on.

 

2nd method: Let's say, your domain is mycompany.local, all users are in OU staff. You could create a sub-OU remoue- so remote users are in OU staff\remote. If this is true, you could set the Base-DN to OU=remote,OU=staff,dc=mycompany,dc=local. Yo this LDAP policy will only find users in this sub-OU or below it.

 

Based on groups: Let's say, you created a group DenyAccess. So you could create a group with the same name on Citrix ADC and bind an authorization policy, action DENY.

 

I personally don't like these deny methods, as users see "ugly" error messages. I prefer not allowing users to log on at all.

 

Merry Christmas and a happy new year

 

Johannes Norz

https://blog.norz.at

https://wonderkitchen.network

Link to comment
Share on other sites

Hey,

 

another option is, that you can use the ldap MemberOf filter with a filter of not member of this group, for example: (!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))
So that all other user are allowed to login but this explicit group would be blocked at the authentication flow.

 

See more details about ldap search filter here: Active Directory: LDAP Syntax Filters - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

 

Cheers,

Daniel

https://danielweppeler.de

Link to comment
Share on other sites

1 hour ago, Daniel Weppeler1709159306 said:

another option is, that you can use the ldap MemberOf filter with a filter of not member of this group, for example: (!(memberOf=cn=Test,ou=East,dc=Domain,dc=com)))

So that all other user are allowed to login but this explicit group would be blocked at the authentication flow.

 

That's what I thought off when talking about "You could also create filters within the LDAP policy."

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...