Re: new user with different privileges
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/27/05
- Next message: Hal Berenson: "Re: Ways of deploying antispyware?"
- Previous message: Steven L Umbach: "Re: Login Interactively"
- In reply to: juannorton_at_gmail.com: "new user with different privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 27 Jun 2005 11:36:55 -0500
Configure the user right for "shutdown the system" so that it does not
include groups that the user is a member of on the computers that they
operate. You could leave just administrators for that user right. User
rights can be managed via Group Policy at the domain/OU level for domain
computers.
Make sure that the user is not a local administrator if you do not want them
to use administrative tools.
If the client computers are XP Pro then use Software Restriction Policies to
manage what the users can use and install via hash/certificate/path rules.
See the link below and be sure to test thoroughly before implementing. For
Windows 2000 SRP do not apply and you will have to rely on not making the
user a local administrator, restrictive ntfs permissions, and Group Policy
to restrict the use of an application which is not near as effective as SRP.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 --- for
Windows 2000 and there is another similar GP setting for run "only" allowed
Windows applications.
Make sure that the users do not have share and/or ntfs permissions to
folders that they should not access. Keep in mind that the lack of any
permission is an implicit deny. The links below explain configuring ntfs
permissions for XP though almost all applies to Windows 2000/2003 with the
exception that simple file sharing is unique to XP but should automatically
be disabled on a domain computer anyhow.
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418
http://support.microsoft.com/kb/308419/
Refer to TechNet Security center for much more information and I suggest you
read the security guides for the operating systems you use. --- Steve
http://www.microsoft.com/technet/security/default.mspx
<juannorton@gmail.com> wrote in message
news:1119880797.591542.280370@f14g2000cwb.googlegroups.com...
> HI to all, I created a new user and group under win2003server.
>
> I do not know how to restrict this user to:
> -Shutdown/Restart the system
> -Execute Administrative Tools
> -Execute run program
> -Deny to install programs
> -Hide folders that he is not allowed to access.
>
> Any help will be appreciate!
>
> Thanks
>
> Juan
>
- Next message: Hal Berenson: "Re: Ways of deploying antispyware?"
- Previous message: Steven L Umbach: "Re: Login Interactively"
- In reply to: juannorton_at_gmail.com: "new user with different privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
