|
Posted by Roger Abell [MVP] on May 8, 2007, 9:38 pm
Please log in for more thread options
>>
>>
>> > Hi Roger,
>>
>> > Thank you for the excellent answer.
>>
>> > It seems, that the only way, is to try as you suggests.
>>
>> > I was expecting something like your suggestion, but with your
>> > information,
>> > i think this could be a solution.
>>
>> > Again, thanks for your time.
>>
>> > /Allan
>>
>> No problem Allan. Good luck, as the case is hard to
>> resolve if the infrastructure was left at install defaults
>> relative to joined machines Users group memberships
>> and/or user rights.
>>
>>
>>
>> >>> Hi,
>>
>> >>> I would like to create a domain-wide user account with almost no
>> >>> rights
>> >>> at all, except to use a web server inside a firewall.
>> >>> The reason, is to manage the user in the AD, but have the user behave
>> >>> like a local user account on a specified machine.
>>
>> >>> I am running a windows server 2003 and Active Directory.
>>
>> >>> Is it possible to create a Domain User Group that has no access at
>> >>> all,
>> >>> if so how to do it ?
>>
>> >>> Are there any pitfalls ?
>>
>> >>> I know that this is a kind of upside down, but nevertheless,
>> >>> neccesary
>> >>> :-)
>>
>> >> Hi Allan,
>>
>> >> Most people fail to take explicity control over login rights on
>> >> individual machines, leaving Domain Users and Authenticated
>> >> Users as members in the Users group of domain joined machines.
>>
>> >> I will assume that is the case in your circumstance.
>>
>> >> If you define a domain global group, which you will use nowhere,
>> >> and after defining your user change the primary group of that user
>> >> from Domain Users to your custom, nowhere used domain global
>> >> group, then you have gone partway down the road of restricting
>> >> the grants normally allowed to any account (i.e. those conferred
>> >> by means of Domain Users).
>>
>> >> The account will still be recognized as an Authenticated User,
>> >> and there is nothing you can do to prevent that. So, the account
>> >> does still have some grants to it automatically. Those do in the
>> >> default (i.e. if control over login rights has not been designed as
>> >> part of the deployment) grant login to, for example, all client
>> >> machines. So, to limit this, if your domain uses NetBIOS over
>> >> Tcp, use the properties of the account to limit the computers
>> >> the account is allowed to log into. If your domain does not use
>> >> NetBT, or if you want added protection, you can use a login
>> >> script that detect the computer logged into, and if it is incorrect
>> >> the script does an immediate logoff.
>>
>> >> You would of course add the user account to the login rights on
>> >> the one desired machine, and to its Users group.
>> >> Having done all of the above the account is reasonably restricted
>> >> but it is still useable beyond what was intended, due to grants to
>> >> Authenticated Users scattered about in your domain and in AD.
>> >> Some of these are needed for the account to function as a domain
>> >> account, the others are pretty tough to rule out if the initial design
>> >> was not attempting to cover this scenario of account control.
>>
>> >> Roger- Hide quoted text -
>>
>> - Show quoted text -
>
> If you have more flexibility in rearranging the furniture, there is an
> excellent way to do this. If you can aggregate this user - and
> possibly others like him/her - into a new forest then you could use
> Selective Authentication to restrict the users access. Your scenario
> sounds like exactly one of the use cases for this feature in Windows.
> For more info see
>
http://technet2.microsoft.com/windowsserver/en/library/9266b197-7fc9-4bd8-8864-4c119ceecc001033.mspx?mfr=true
>
>
> HTH,
> Dave
>
Hi Dave,
Hopefully Allan notices your post and its good suggestion/information
(despite it being a reply to me rather than to him).
Roger
| 
XML Sitemap