Re: Deny Server Access but Allow Printer and Internet
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 21 Sep 2006 13:32:18 -0500
"Adam" <Adam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A2A02891-CF0D-4F41-B752-180E1977F4C3@xxxxxxxxxxxxxxxx
I am looking for the best method to create basically a guest account on the
domain (2003).
The "Guest" accout is already a technical term, and usually
disabled since it requires no specific credentials (password)
to authenticate.
I would like to have a group or OU configured to deny access to all my
file
sever / Shares ect and only allow Interent access and network printing.
Then don't put these accounts in ANY group that has access to those
resources.
Put them in a group with only the necessary privileges.
You may find you have to change their default group from
Domain Users to get them out of there, if this group has
be (probably improperly) used for granting access.
Too many people use "everyone" or some other generic
group to grant access when they should build specific
groups for such.
You should START by only granting access to those who
need it, and do your best to AVOID having to DENY access.
But if you must, you merely put the users into a Group and
deny it access to all inappropriate resources.
My printer is shared off my server to I may be shooting myself in the foot
by a full deny.
You don't grant or deny at the "server level"; you do this on a
share by share (print or file) basis, so it is trivial (but perhaps
tedious) to go through and grant/deny the precise privileges.
If possible I would like to prevent browsing if the network as well. --
This
I should be able to do via Group Policy to the OU easily.
Browsing is NOT controlled by permissions so it is generally
available to all -- or no one.
But is there a method to deny any access to my server(s) shares and deny
hd
access at the NTFS level based upon Group Policy and an OU?
Some of the permissions I have described above (NTFS in particular)
can be set by GPO but this is very difficult if you have never done it
directly and gotten as least some sample machines correct manually.
I guess I am looking for a kiosk type setup based on user login.
If you want permissions to keep a kiosk user with direct logon
from accessing local files then that is NTFS and can be done
fairly easily (but again probably tediously) with a Group using
either Deny or never giving access to start with.
Any sugestions?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
.
- Follow-Ups:
- Prev by Date: Re: Single user issue; best troubleshooting
- Next by Date: can't map a drive to DC in another domain
- Previous by thread: Re: How many domain controllers to have?
- Next by thread: Re: Deny Server Access but Allow Printer and Internet
- Index(es):
Relevant Pages
|
