Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain user rights

Status
Not open for further replies.
maya14

maya14

Technical User
May 8, 2007
274
ZA
I want domain users to have almost no rights on their pc’s. I have created the users in SBS and when I add them to a pc I gave them restricted user rights under Control Panel/User Accounts.
Is this the best way to restrict domain users to their pc’s as I don’t want them to install any software or change system settings etc.
Unfortunately when I do this users cant copy & paste to any local drive. Error message access denied. Only if I give username\domain full access to the drive they can copy & paste.
How do I find the right balance between restricting user on pc and also allow them to have a functional pc.
 
Sort by date Sort by votes
I think it is the "restricted user rights" you are applying on the local workstation that is prohibiting disk access. That setting is basically making the workstation unpersonalizable, like you might set up in a kiosk at an internet cafe. I recommend just letting the users be standard Users in the domain and not setting any specific rights on the local workstation. Then they can write to disk but won't have admin rights on their systems that would allow them to install most software.

There are also many Group Policies that you can put in place that further restrict user activities, and that's where you'd want to work, not on the local workstation settings. The goal is to have a single centralized management policy to govern these sorts of things and not to have to touch individual workstations to make policy happen.

When you use the GPMC on SBS to work with Group Policy, never edit an existing policy for this sort of work. Always create a new policy and get it the way you want it before linking it to the domain or to an OU. Better yet, create a special OU in the ADUC and put a test user in it and apply your policies to that OU for testing before applying it to your domain. Read up on group policies, since they are VERY useful, but too complicated to be simply taught in the context of this forum.

Another answer to this is to implement Vista when you get a chance, since it deals with this situation out-of-the-box much better than XP does.

Dave Shackelford
MCSE, CCNA, Microsoft MVP: Exchange
Shackelford Consulting
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
793
goombawaho
goombawaho
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
230
ADB100
ADB100
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
572
DrB0b
DrB0b
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
215
penguinroundup
penguinroundup
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
597
fredmartinmaine
fredmartinmaine

Part and Inventory Search

Sponsor

Back
Top