Re: How to create a user with access to one server only.

On May 7, 10:01 pm, "Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote:
"Allan Bentsen" <allanbent...@xxxxxxxxxxxxxxxxx> wrote in message

news:ehxLNiBkHHA.1240@xxxxxxxxxxxxxxxxxxxxxxx

Hi Roger,

Thank you for the excellent answer.

It seems, that the only way, is to try as you suggests.

I was expecting something like your suggestion, but with your information,
i think this could be a solution.

Again, thanks for your time.

/Allan

No problem Allan. Good luck, as the case is hard to
resolve if the infrastructure was left at install defaults
relative to joined machines Users group memberships
and/or user rights.



"Roger Abell [MVP]" <mvpNoS...@xxxxxxx> wrote in message
news:etxeI06iHHA.4896@xxxxxxxxxxxxxxxxxxxxxxx
"Allan Bentsen" <allanbent...@xxxxxxxxxxxxxxxxx> wrote in message
news:uFTBUUxiHHA.4732@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I would like to create a domain-wide user account with almost no rights
at all, except to use a web server inside a firewall.
The reason, is to manage the user in the AD, but have the user behave
like a local user account on a specified machine.

I am running a windows server 2003 and Active Directory.

Is it possible to create a Domain User Group that has no access at all,
if so how to do it ?

Are there any pitfalls ?

I know that this is a kind of upside down, but nevertheless, neccesary
:-)

Hi Allan,

Most people fail to take explicity control over login rights on
individual machines, leaving Domain Users and Authenticated
Users as members in the Users group of domain joined machines.

I will assume that is the case in your circumstance.

If you define a domain global group, which you will use nowhere,
and after defining your user change the primary group of that user
from Domain Users to your custom, nowhere used domain global
group, then you have gone partway down the road of restricting
the grants normally allowed to any account (i.e. those conferred
by means of Domain Users).

The account will still be recognized as an Authenticated User,
and there is nothing you can do to prevent that. So, the account
does still have some grants to it automatically. Those do in the
default (i.e. if control over login rights has not been designed as
part of the deployment) grant login to, for example, all client
machines. So, to limit this, if your domain uses NetBIOS over
Tcp, use the properties of the account to limit the computers
the account is allowed to log into. If your domain does not use
NetBT, or if you want added protection, you can use a login
script that detect the computer logged into, and if it is incorrect
the script does an immediate logoff.

You would of course add the user account to the login rights on
the one desired machine, and to its Users group.
Having done all of the above the account is reasonably restricted
but it is still useable beyond what was intended, due to grants to
Authenticated Users scattered about in your domain and in AD.
Some of these are needed for the account to function as a domain
account, the others are pretty tough to rule out if the initial design
was not attempting to cover this scenario of account control.

Roger- Hide quoted text -

- Show quoted text -

If you have more flexibility in rearranging the furniture, there is an
excellent way to do this. If you can aggregate this user - and
possibly others like him/her - into a new forest then you could use
Selective Authentication to restrict the users access. Your scenario
sounds like exactly one of the use cases for this feature in Windows.
For more info see
http://technet2.microsoft.com/windowsserver/en/library/9266b197-7fc9-4bd8-8864-4c119ceecc001033.mspx?mfr=true


HTH,
Dave

.

Relevant Pages

  • Re: Unable to Share Folder
    ... It may look daunting, but if you follow the steps at the links and suggestions below systematically and calmly, you will have no difficulty in setting up your sharing. ... Problems sharing files between computers on a network are generally caused by 1) a misconfigured firewall; or 2) inadvertently running two firewalls such as the built-in Windows Firewall and a third-party firewall; and/or 3) not having identical user accounts and passwords on all Workgroup machines; 4) trying to create shares where the operating system does not permit it. ... You do not need to be logged into the same account on all machines and the passwords assigned to each user account can be different; the accounts/passwords just need to exist and match on all machines. ...
    (microsoft.public.windowsxp.general)
  • Re: XP Specific Program Access for Limited User Accounts
    ... one of these apps installed to ... In the default the Users group has read/execute on this. ... If there are many machines, ... > receptionist (for whom I've created a limited account) to ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Folder Sharing Security
    ... I turned off simple file sharing. ... I created a user account on my machine and gave it a password. ... start by running the Network Setup Wizard on all machines (see ... With Windows Firewall, this means allowing File/Printer ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to create a user with access to one server only.
    ... I would like to create a domain-wide user account with almost no rights ... Most people fail to take explicity control over login rights on ... individual machines, ... Users as members in the Users group of domain joined machines. ...
    (microsoft.public.windows.server.security)
  • Re: Folder Sharing Security
    ... I turned off simple file sharing. ... I created a user account on my machine and gave it a password. ... start by running the Network Setup Wizard on all machines (see ... With Windows Firewall, this means allowing File/Printer ...
    (microsoft.public.windowsxp.security_admin)