Re: Controlled user access

From: Herb Martin (news_at_LearnQuick.com)
Date: 11/28/04 

Date: Sun, 28 Nov 2004 04:47:22 -0600

"David Sturgeon" <dsturgeon@n.o.sp-am.county.tippecanoe.in.us> wrote in
message news:10qhfgsdubfclce@corp.supernews.com...
> If I setup an account for a vendor to come in and look at their software,
> how can I keep that user from accessing anything other than a certain
> server? Would I have to do this via the 'Log on To' option in the profile?

That will work -- as long as you haven't turned of NetBIOS (it
actually is one of the things that still depends on the NetBIOS name)
and as long as they vendor doesn't need access to more than 10
machines.

But recognize, you must also protect against any other shared
resources (printers, shares, etc) which you don't wish the user
to access.

As long as you already use specific permissions -- more specific
than Everyone, Authenticated Users, etc. -- then this should not
be a big deal.

> For instance if I have a vendor named Joe that needs to come in via
terminal
> services and get to his company's application folder on my file server,
how
> do I limit him to only that server.

Only grant him access through terminal services on THAT specific
machine and use the Logon to in user properties also if you wish.

> Since he is part of the 'Domain Users'
> group, he basically has access to just about any machine in the network
from
> an NTFS perspective.

Not if your shares are correctly setup -- or you can use
DENY permissions IF YOU MUST to stop that.

He IS a domain users so you are granting him access to
everything that an Authenticated Users, Domain Users,
or Everyone has access to.

You specified that when you put those permission (even
passively) on those shares or other resources.

It is possible to take an account OUT of Domain Users
however -- won't help for Everyone and Authenticated
User since they are special groups (i.e., automatic.)

There is a trick to doing it (or used to be since I haven't
done it in a long time):

Put the user in at least one other group, mark that other
group as the users "default group" and then remove the
user from Domain User -- you may have to search the
KB for the precise steps, and it may have changed since
NT (last time I did it.)

The IIS anonymous accounts are setup in Guests rather
than Domain Users which provides a working example
of the idea. 

-- 
Herb Martin
>
>

Relevant Pages

  • Controlled user access
    ... If I setup an account for a vendor to come in and look at their software, ... For instance if I have a vendor named Joe that needs to come in via terminal ... services and get to his company's application folder on my file server, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Mail List with external address
    ... Bruno Nunes wrote: ... Is there any way i can setup an account to distribute mail to users outside my domain? ... domain users or not. ...
    (microsoft.public.exchange.admin)
  • Re: OWA distorted
    ... I have added the domain users, users, Authenticated Users in the securit ... on the bin folder if that will help in any way. ... if you hadn't changed the account used for Anonymous Access. ...
    (microsoft.public.exchange.admin)
  • Re: ADAM : Install using Domain users as Admin rights issue
    ... If you create a partition on the 2nd instance after installing the 2nd ... then by default this partition is only hosted by the 2nd instance. ... > account is not allowed ... >>that you've tried both a domain users account and a local ...
    (microsoft.public.windows.server.active_directory)
  • Re: Setup of Information Store Service fails
    ... Exchange 2000 Setup Fails and Security Vulnerability ... When you set up Microsoft Exchange 2000 Server or Exchange 2000 Enterprise ... The account name is EUSER_EXSTOREEVENT, ... When You Install Exchange 2000 on a Member Server ...
    (microsoft.public.exchange2000.information.store)