Re: Domain account iwth restricted rights

Herb,

Thanks for the response. Before posting I had created a security group
called 'No Access'. Everyone I put into that group had 'No Access' as the
primary group and each was removed from Domain Users.

Yet still, these accounts can logon to a pc? Any ideas?

thanks

"Herb Martin" wrote:


"akg414s" <akg414s@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:150B219D-05AC-415F-B175-3526E12065C1@xxxxxxxxxxxxxxxx
I ned to create a security group with rights to access a single share. They

Technically accessing a Share requires PERMISSIONS (not Rights which
are something different in Windows, e.g., Logon locally as you mention
below.)

So you need both different permissions and different rights perhaps.

will also need to log on through Radius for VPN.

They should have no other rights such as log on locally.
What is the best way to lock down these accounts?

You will first need to add these users to the new group and then
REMOVE them from the Domain Users group (every user is a member
here by default and this is their Primary group which makes it a bit
irritating to get them "out of" Domain Users.)

Domain Users have the right to logon locally (to non-Servers).

Easiest is to create one new account as a template with these new
group settings them COPY this template account to create the other
user accounts for this purpose.


But then you still have to deal with share permission IF you have been
using Everyone Read, or Authenticated User -- Change etc on the shares
and NTFS permissions.

The problem is that these folks are STILL going to be part of these
Special Groups (automatic/dynamic groups) and so you much either
use more specific groups OR you must use DENY with the new
groups.

Remember too, that permission are needed on both the SHARE and
the NTFS files themselves if you wish to have users access them.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)



.

Relevant Pages

  • Re: Domain account iwth restricted rights
    ... Normally the "Authenticated Users" special group has the logon locally ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ... What is the best way to lock down these accounts? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain account iwth restricted rights
    ... primary group and each was removed from Domain Users. ... The Domain Users causes the "Logon Locally" right to be present ... So you need both different permissions and different rights perhaps. ... What is the best way to lock down these accounts? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Permissions to re-join computer to domain
    ... I would like to setup the permissions to allow any domain ... I have tired setting Domain Users ... > security on the OU to create/delete computer accounts and created a ...
    (microsoft.public.exchange2000.active.directory.integration)
  • Permissions to re-join computer to domain
    ... I have setup a separate OU that contains about sixty machine accounts. ... Here we would like to assign permissions to domain users to re-join the ... I have tired setting Domain Users security on the OU ...
    (microsoft.public.exchange2000.active.directory.integration)
  • Re: File Sharing (again - sorry, Pd)
    ... InTerminal, type umask. ... Back in the good old days, Mac OS X user accounts ... The reason that the file permissions are "resetting" each time the ... that folder inherit the ACLs from the folder. ...
    (uk.comp.sys.mac)
Loading