Re: Windows equiv of UNIX "Restricted Users"??

"Arthur Dent" <hitchhikersguideto-news@xxxxxxxxx> wrote in message
news:2E6D3B4B-44F2-459B-BDE5-1FAB71F0D3AC@xxxxxxxxxxxxxxxx
Yah, thats what i wound up doing... going with the local machine account.
I was just curious if there was anyway to effect that kind of domain user;
its a network i did not set up, and am coming into semi-admining after the
fact, so i dont have control of how things were done.. and was just hoping
there would be some way of doing it without having to go modify every
network resouce after the fact to remove the Everyone access.
I guess not....
Thanks for the help though! :)


Yep, I understand; but no, there is no magic Everyone does not mean
Everyone button, so it always will mean any account in the forest
(and optionally also anonymous can be included).



"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:O5XJ06KVHHA.1212@xxxxxxxxxxxxxxxxxxxxxxx
If as one builds out a Windows AD domain one does not spec the
allowed login usages of machines (local and net) and so one just
lets things default, then you end up pretty much with any domain
account able to access any non-DC either way (it is actually even
more loose than that).

Just because the defaults exist does not mean one should accept
them, since, after all, they are defined to be reasonably restrictive
while yet allowing for the most common scenarios to work.

If each machine as added is controlled as to the allowed local
and network logins based on its use case, then your need would
be simply filled. However, with Everyone and Users still in
the Network and Users still in the local login rights on numerous
machines, defining a domain account does grant broad access.
Under those conditions use of a machine local account can often
be the most simple solution to effect restriction.

Roger



.

Quantcast