Click here to get back home

new user with different privileges
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
new user with different privileges juannorton 06-27-2005
Posted by juannorton on June 27, 2005, 7:02 am
Please log in for more thread options
 HI to all, I created a new user and group under win2003server.

I do not know how to restrict this user to:
-Shutdown/Restart the system
-Execute Administrative Tools
-Execute run program
-Deny to install programs
-Hide folders that he is not allowed to access.

Any help will be appreciate!

Thanks

Juan



Posted by Steven L Umbach on June 27, 2005, 11:36 am
Please log in for more thread options
 Configure the user right for "shutdown the system" so that it does not
include groups that the user is a member of on the computers that they
operate. You could leave just administrators for that user right. User
rights can be managed via Group Policy at the domain/OU level for domain
computers.

Make sure that the user is not a local administrator if you do not want them
to use administrative tools.

If the client computers are XP Pro then use Software Restriction Policies to
manage what the users can use and install via hash/certificate/path rules.
See the link below and be sure to test thoroughly before implementing. For
Windows 2000 SRP do not apply and you will have to rely on not making the
user a local administrator, restrictive ntfs permissions, and Group Policy
to restrict the use of an application which is not near as effective as SRP.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 --- for
Windows 2000 and there is another similar GP setting for run "only" allowed
Windows applications.

Make sure that the users do not have share and/or ntfs permissions to
folders that they should not access. Keep in mind that the lack of any
permission is an implicit deny. The links below explain configuring ntfs
permissions for XP though almost all applies to Windows 2000/2003 with the
exception that simple file sharing is unique to XP but should automatically
be disabled on a domain computer anyhow.

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://support.microsoft.com/kb/308419/

Refer to TechNet Security center for much more information and I suggest you
read the security guides for the operating systems you use. --- Steve

http://www.microsoft.com/technet/security/default.mspx

> HI to all, I created a new user and group under win2003server.
>
> I do not know how to restrict this user to:
> -Shutdown/Restart the system
> -Execute Administrative Tools
> -Execute run program
> -Deny to install programs
> -Hide folders that he is not allowed to access.
>
> Any help will be appreciate!
>
> Thanks
>
> Juan
>




Similar ThreadsPosted
Listing user privileges March 3, 2006, 9:09 am
Administrative privileges June 22, 2007, 7:54 pm
Restricting service accounts that have administrator privileges July 8, 2007, 12:10 pm
How to set different USB access privileges in Win2K\WinXP\Win2003 March 15, 2008, 9:20 pm
Unexpected security restriction for a user in both a user and administrative group. April 24, 2008, 10:05 pm
SBS new user wizard -v- manual user setup June 7, 2006, 10:19 pm
User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm
Is it possible to use the Windows 2003 user names instead of pre-Windows 2000 user names in Windows Authentication? September 5, 2006, 9:27 am
Get FTP user name October 25, 2006, 4:46 am
user rights August 15, 2005, 10:13 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap