Re: Domain account iwth restricted rights


"Michael D'Angelo" <nospamnmdange@xxxxxxxxxxxxxxx> wrote in message
news:%231BlplPrHHA.3924@xxxxxxxxxxxxxxxxxxxxxxx
Normally the "Authenticated Users" special group has the logon locally
right. You would have to change the policy on every machine they should
not have access to and change it to include the groups you need.

Really? I never noticed that change. Logically it is a VERY poor idea and
I am surprised that was done.

Alternatively, you can set the "No Access" group to be in the "Deny Logon
Locally" right. Like ACLs, the Deny will take precendence over the allow.

That was probably added to account for the change above. I knew about this
and now its appearance makes even more sense.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message
news:e2ovMdFrHHA.4100@xxxxxxxxxxxxxxxxxxxxxxx

"akg414s" <akg414s@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38567A36-75B7-4F7C-82AB-27EE924A1787@xxxxxxxxxxxxxxxx
Herb,

Thanks for the response. Before posting I had created a security group
called 'No Access'. Everyone I put into that group had 'No Access' as
the
primary group and each was removed from Domain Users.

Yet still, these accounts can logon to a pc? Any ideas?

The Domain Users causes the "Logon Locally" right to be present
(as I recall) because it is a member of Users (both domain and
computer specific) where the right is actually granted.

So if "No Access" (not a particularly good choice of names) doesn't
have "Logon Locally" nor is it a member of any group (i.e., Users)
that does have this right then local logon should not be possible.

Normally the Guests group has this ability too I believe so Users
is not the only possibility so you need to look through all the
groups (direct and nested) that can be granting this.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

thanks

"Herb Martin" wrote:


"akg414s" <akg414s@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:150B219D-05AC-415F-B175-3526E12065C1@xxxxxxxxxxxxxxxx
I ned to create a security group with rights to access a single share.
They

Technically accessing a Share requires PERMISSIONS (not Rights which
are something different in Windows, e.g., Logon locally as you mention
below.)

So you need both different permissions and different rights perhaps.

will also need to log on through Radius for VPN.

They should have no other rights such as log on locally.
What is the best way to lock down these accounts?

You will first need to add these users to the new group and then
REMOVE them from the Domain Users group (every user is a member
here by default and this is their Primary group which makes it a bit
irritating to get them "out of" Domain Users.)

Domain Users have the right to logon locally (to non-Servers).

Easiest is to create one new account as a template with these new
group settings them COPY this template account to create the other
user accounts for this purpose.


But then you still have to deal with share permission IF you have been
using Everyone Read, or Authenticated User -- Change etc on the shares
and NTFS permissions.

The problem is that these folks are STILL going to be part of these
Special Groups (automatic/dynamic groups) and so you much either
use more specific groups OR you must use DENY with the new
groups.

Remember too, that permission are needed on both the SHARE and
the NTFS files themselves if you wish to have users access them.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)









.

Relevant Pages

  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... Restricted Admins group to mitigate against what you propose Deji. ... also need to make sure the DAs in question cannot elevate their rights to EA, ... > By adding the Deny Write Permissions ACE, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... What I am trying to do is give Taz1972 some options to minimize the risk or make it harder for a lower-level DA to reset the password for the EA account. ... * This posting is provided "AS IS" with no warranties and confers no rights! ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Prevent changes to Administrator password
    ... * This posting is provided "AS IS" with no warranties and confers no rights! ... his/her account from the Restricted Admin group and clears the flag? ... > By adding the Deny Write Permissions ACE, ... > permission to modify the ACL on AdminSDHolder. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Error "The information store could not be opened." when openin
    ... Server without missing rights. ... I did grant additional permissions to %windir% as suggested in one of the ... account. ... OutlookSpy - Outlook, CDO ...
    (microsoft.public.win32.programmer.messaging)
  • Re: AD User Objects & Permission Inheritance
    ... I went ahead and granted the Account Operators built in group rights on the adminSDholder object according to what I want the OU admins to have. ... I went ahead and enabled inheritance on the> adminSDholder object to verify that this indeed was the cause and 60> minutes ... > later all user objects began to inherit permissions again. ...
    (microsoft.public.win2000.active_directory)