|
Posted by DaveMo on May 8, 2007, 9:51 am
Please log in for more thread options >
>
> > Hi Roger,
>
> > Thank you for the excellent answer.
>
> > It seems, that the only way, is to try as you suggests.
>
> > I was expecting something like your suggestion, but with your information,
> > i think this could be a solution.
>
> > Again, thanks for your time.
>
> > /Allan
>
> No problem Allan. Good luck, as the case is hard to
> resolve if the infrastructure was left at install defaults
> relative to joined machines Users group memberships
> and/or user rights.
>
>
>
> >>> Hi,
>
> >>> I would like to create a domain-wide user account with almost no rights
> >>> at all, except to use a web server inside a firewall.
> >>> The reason, is to manage the user in the AD, but have the user behave
> >>> like a local user account on a specified machine.
>
> >>> I am running a windows server 2003 and Active Directory.
>
> >>> Is it possible to create a Domain User Group that has no access at all,
> >>> if so how to do it ?
>
> >>> Are there any pitfalls ?
>
> >>> I know that this is a kind of upside down, but nevertheless, neccesary
> >>> :-)
>
> >> Hi Allan,
>
> >> Most people fail to take explicity control over login rights on
> >> individual machines, leaving Domain Users and Authenticated
> >> Users as members in the Users group of domain joined machines.
>
> >> I will assume that is the case in your circumstance.
>
> >> If you define a domain global group, which you will use nowhere,
> >> and after defining your user change the primary group of that user
> >> from Domain Users to your custom, nowhere used domain global
> >> group, then you have gone partway down the road of restricting
> >> the grants normally allowed to any account (i.e. those conferred
> >> by means of Domain Users).
>
> >> The account will still be recognized as an Authenticated User,
> >> and there is nothing you can do to prevent that. So, the account
> >> does still have some grants to it automatically. Those do in the
> >> default (i.e. if control over login rights has not been designed as
> >> part of the deployment) grant login to, for example, all client
> >> machines. So, to limit this, if your domain uses NetBIOS over
> >> Tcp, use the properties of the account to limit the computers
> >> the account is allowed to log into. If your domain does not use
> >> NetBT, or if you want added protection, you can use a login
> >> script that detect the computer logged into, and if it is incorrect
> >> the script does an immediate logoff.
>
> >> You would of course add the user account to the login rights on
> >> the one desired machine, and to its Users group.
> >> Having done all of the above the account is reasonably restricted
> >> but it is still useable beyond what was intended, due to grants to
> >> Authenticated Users scattered about in your domain and in AD.
> >> Some of these are needed for the account to function as a domain
> >> account, the others are pretty tough to rule out if the initial design
> >> was not attempting to cover this scenario of account control.
>
> >> Roger- Hide quoted text -
>
> - Show quoted text -
If you have more flexibility in rearranging the furniture, there is an
excellent way to do this. If you can aggregate this user - and
possibly others like him/her - into a new forest then you could use
Selective Authentication to restrict the users access. Your scenario
sounds like exactly one of the use cases for this feature in Windows.
For more info see
http://technet2.microsoft.com/windowsserver/en/library/9266b197-7fc9-4bd8-8864-4c119ceecc001033.mspx?mfr=true
HTH,
Dave
| 
XML Sitemap