Re: Windows equiv of UNIX "Restricted Users"??

If as one builds out a Windows AD domain one does not spec the
allowed login usages of machines (local and net) and so one just
lets things default, then you end up pretty much with any domain
account able to access any non-DC either way (it is actually even
more loose than that).

Just because the defaults exist does not mean one should accept
them, since, after all, they are defined to be reasonably restrictive
while yet allowing for the most common scenarios to work.

If each machine as added is controlled as to the allowed local
and network logins based on its use case, then your need would
be simply filled. However, with Everyone and Users still in
the Network and Users still in the local login rights on numerous
machines, defining a domain account does grant broad access.
Under those conditions use of a machine local account can often
be the most simple solution to effect restriction.

Roger

"Arthur Dent" <hitchhikersguideto-news@xxxxxxxxx> wrote in message
news:3BA242A6-6BF5-4317-A691-D4CC36A0F72D@xxxxxxxxxxxxxxxx
Hi all,

I am wondering, is there a way, to make a user in the Active Directory,
who has perms something like a "Restricted User" in Unix?
We need to give this guy access to our network to demo some software to
him, and he is going to RDC into one of our machines. I was going to
create a domain user, and only give him logon rights to that one machine,
but in testing, realized he'd still get access to the network through all
the shares. (for now i'm going to just go with a local machine account
instead of domain, but i'm curious, conceptually)...
So i want to know if its possible to create a domain user, who despite all
the "Everyone" permissions in Windows, will be limited to have access ONLY
to what i give him explicit access to... and will NOT be given implicit
rights through the everyone group., ... there is just too much work to be
able to do it right now, to remove all the "Everyones".
I thought maybe putting him in the "Domain Guests" group would limit him,
but it didnt.
Searched on google a bunch of different ways, and could not find
anything....

Thanks in advance,
Arthur Dent.


.

Relevant Pages

  • Re: Network access from Win XP
    ... On the Mac, set up Windows sharing. ... run the Network Setup Wizard. ... not need to be logged into the same account on all machines and the ... If one or more of the computers is XP Pro or Media Center: ...
    (microsoft.public.macintosh.general)
  • Re: RDC Failing from home to work???
    ... Jeffrey Randow (Windows Networking & Smart Display MVP) ... >> login screen but after I put in my username and password ... >> login...after I attempt to login I see the connection ... >> the same network from home. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: RDP works as admin, not user, black screen (3rd request for help)
    ... & Smart Display MVP) ... >account, it works!!!! ... >in, and then remains black, no successful login. ... >PC's on the network do work as they are supposed ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Domain Changed (HELP Please!!)
    ... So if all users on this active directory have local admin rights, ... be able to login under my previous account username? ... >> I have a Dell laptop and it was setup to login to an active directory system ... >> network at the hotel. ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Domain Users loging into Win98 machine.
    ... You can delete all the PWL files in the Windows directory to overcome this. ... doing you or your network any favours. ... > When login onto the Win98 machine connected to the network using a user ... > innitial login prompt asks for username, pass, domain. ...
    (microsoft.public.win2000.networking)