Re: Deny Server Access but Allow Printer and Internet
- From: Adam <Adam@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 21 Sep 2006 12:14:02 -0700
The "Guest" accout is already a technical term, and usually
disabled since it requires no specific credentials (password)
to authenticate.
Yes, perhaps I should not have used the word guest. I mean guest in the
terms temp user not the actuall guest account.
Put them in a group with only the necessary privileges.
Yes, that was my plan. I was looking for something that would limit my need
to touch every share. But yes I can see it as an advantage to verify all my
groups and their share and NTFS permissons while creating a new group that
only has rights to the printer.
Thank you
"Herb Martin" wrote:
"Adam" <Adam@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message.
news:A2A02891-CF0D-4F41-B752-180E1977F4C3@xxxxxxxxxxxxxxxx
I am looking for the best method to create basically a guest account on the
domain (2003).
The "Guest" accout is already a technical term, and usually
disabled since it requires no specific credentials (password)
to authenticate.
I would like to have a group or OU configured to deny access to all my
file
sever / Shares ect and only allow Interent access and network printing.
Then don't put these accounts in ANY group that has access to those
resources.
Put them in a group with only the necessary privileges.
You may find you have to change their default group from
Domain Users to get them out of there, if this group has
be (probably improperly) used for granting access.
Too many people use "everyone" or some other generic
group to grant access when they should build specific
groups for such.
You should START by only granting access to those who
need it, and do your best to AVOID having to DENY access.
But if you must, you merely put the users into a Group and
deny it access to all inappropriate resources.
My printer is shared off my server to I may be shooting myself in the foot
by a full deny.
You don't grant or deny at the "server level"; you do this on a
share by share (print or file) basis, so it is trivial (but perhaps
tedious) to go through and grant/deny the precise privileges.
If possible I would like to prevent browsing if the network as well. --
This
I should be able to do via Group Policy to the OU easily.
Browsing is NOT controlled by permissions so it is generally
available to all -- or no one.
But is there a method to deny any access to my server(s) shares and deny
hd
access at the NTFS level based upon Group Policy and an OU?
Some of the permissions I have described above (NTFS in particular)
can be set by GPO but this is very difficult if you have never done it
directly and gotten as least some sample machines correct manually.
I guess I am looking for a kiosk type setup based on user login.
If you want permissions to keep a kiosk user with direct logon
from accessing local files then that is NTFS and can be done
fairly easily (but again probably tediously) with a Group using
either Deny or never giving access to start with.
Any sugestions?
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
- References:
- Re: Deny Server Access but Allow Printer and Internet
- From: Herb Martin
- Re: Deny Server Access but Allow Printer and Internet
- Prev by Date: can't map a drive to DC in another domain
- Next by Date: Re: How to make AD in 2 seperate forrest communicate
- Previous by thread: Re: Deny Server Access but Allow Printer and Internet
- Next by thread: can't map a drive to DC in another domain
- Index(es):
Relevant Pages
|
