# Active Directory Separate Computers From Each Group !



## radw (May 5, 2012)

Hello to everyone !
I have a question regarding Active Directory, Organizational Unit and Groups on a WIndows Server 2008 Standard Edition.
Is there a way to separate computers from seeing each other's share if they belong to the same Organizational Unit but different Groups but still users in the same group to see each others shares ?
Thanks in advance, 
Radu.


----------



## Rockn (Jul 29, 2001)

Do you want to limit user access to the resource or computer access to the resource? Are you talking about local shares (which is probably a bad idea).


----------



## radw (May 5, 2012)

Hello Rockn and thank you for helping me.
In Active Directory I have 3 Organizational Units an inside each organizational unit I have some groups.


OU1
-Group 1 - user1, user2, user3.
-Group 2 - user a, user b, user c.
-Group 3 - user 4, user5, user6.


OU2
-Group a - user A, user B, user C.
-Group b - user D, user E, user F.
-Group c - user G, user H, user I.


OUIII
-Group I - user I, user II, user III
-Group II - user IV, user V, user VI.
-Group III - user VII, user VIII, user IX.

The usernames are defined in USERS. For every user defined I have defined it's computer name in COMPUTERS.
What I am trying to do is : 
Users from OU1, GROUP1 (which will be, let's say, DIRECTOR) should not have anything to do with users from OU1, GROUP2 ( JANITOR, for example ) and nobody else, of course, unless it's specified. User1 from GROUP1 should only see as network computers USER2 and USER3.
How do I achieve these without VLANs or separating the network, only from active directory ? Is it possible ?
Thanks again, 
Radw.


----------



## Rockn (Jul 29, 2001)

What do you mean by see computers? If these computers are domain members all that should be accessible is the default admin C$ share. Just because they can see the computers on the network does not mean they can access them. This really seems like an exercise in futility.


----------

