Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

creating policy's

Status
Not open for further replies.
miguel1973

miguel1973

Technical User
Jan 16, 2003
24
0
0
GB
Hi,
I am currently playing about with active directory with the hope of implementing it on our new domain. I am wanting to deny users access to certain drives on the domain controller. How do I go about this? is it through creating policy's?

Thanks
Miguel
 
Sort by date Sort by votes
Miguelmiggs,

Your drives, just as your other Win2K resources can be protected with the ACL (Access Control List)

Keep in mind that if a user 'browses' the network the only things that will be visible to them will be resources you have 'shared' out.

Your drives are an 'administrative' share, in that Windows has made them hidden shares and shared them out with the extension '$'. Only those who know to specifically add the '$' to the drive spec could indeed access them. For example you could go to a RUN line and type \\servername\c$ and this will allow you access to the C drive of 'servername'. However if you only typed \\servername\c, you could not get there.

However, anything that was 'shared' out on the C drive would show up to users browsing the network. You can then lock the shares down using NTFS permissions in the ACL.



Hope this helps,

Patty [ponytails2]
 
Upvote 0 Downvote
Another way to secure and hide objects is to place them in an OU and disable "list Directory contents" (or something), to what ever group you want to disallow access or viewing, in the ACL....
 
Upvote 0 Downvote
The clients on the network will only be able to access shares that are made available. If its not shared, then it can't be accessed over the network... only locally. To see what shares you currently have, right click my computer, manage, shared folders. grneyedlady is correct about the $ sign, those shares will be hidden. Also, the c$, d$, etc drive shares have administrative rights assigned to them (must be an administrator to access) and you can't remove those shares because they are built in. The recommended practice is to create folders, and then share the folders. Share permissions are normally kept 'loose' and you then clamp down with NTFS permissions.

If you are concerned about the drives being accessed by a direct login to the server, the default is to allow only specific groups the local login right... see domain controllers group policy\computer configuration\windows settings\security settings\local policies\user rights assignment. The average domain user can't log directly into the server.

So, your resources are protected by either not sharing them, sharing them but restricting access through NTFS permissions, or not allowing them to access them through a direct login to the server through a group policy.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tektipssiva
  • Locked
  • Question
Need help on creating system event log
Replies
1
Views
54
markdmac
markdmac
Cobby1812
  • Locked
  • Question
Creating a Service in Windows 2008 R2
Replies
0
Views
43
Cobby1812
Cobby1812
DrB0b
  • Locked
  • Question
Creating strick remote log on restrictions
Replies
0
Views
13
DrB0b
DrB0b
Sniffer2112
  • Locked
  • Question
Server 2008, creating a GPO to force ACL permissions to event logs
Replies
1
Views
19
Sniffer2112
Sniffer2112
meckeard
  • Locked
  • Question
Creating numerous virtual directories on Win Server 2008
Replies
3
Views
38
sampko
sampko

Part and Inventory Search

Sponsor

Back
Top