I tested this feature with older versions of the software, with SSH and other protocols using deny rules. I had to actually connect and login before the NSX policy engine was able to identify the user account connecting and block access. This feature may function more efficiently in newer versions.
Thank you larsonm !
You reply is interresting. but doesn't answer to the question...
I don't believe you can make the rule on the user, it has to be on the AD group. Other than that, the rule will work. You need to have the domain registered within NSX and make sure you have the guest introspection VM installed on the cluster.
When your VM is in the "virtual NSX" environment and you are trying to "allow" or "block" (certain) traffic from that VM this is a good use case where this is possible with the use of AD Security Groups.
Please read this guide and test it out like that.
Having a physical PC and wanting to enforce NSX security policy rules on that would not be a valid use-case I believe...
No it not possible to do it.
AD members shepp is with in VM , NSX need to detect events and it can be done vie GI or Log Scrapper. Since in physical machine no GI and or log scraper related to virtual environment then there is no way to detect it.
NSX is designed only and for virtual environments , however there are some use cases and for the physical one.