Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to created a VERY limited user account/group

Status
Not open for further replies.
djpingpong

djpingpong

Programmer
Jul 6, 2004
70
Hi all,

I have my active directory setup in our windows 2000 domain.
Now, with visitors coming into our plant, I need to create either a single user or a user group (doesn't really matter) that has very restricted access. I only want them to run a specific application and restrict everything else. Ex: Internet Explorer, Games, Windows Explorer, etc....

What is the best way to do this?
i've created a group policy for our office with a list of users and computers... and one particular user account "temp_user" is what I want to limit to only running a MS Access application that we have running in our plant floor.

Can this be done?
 
Sort by date Sort by votes
Could you not create a local account rather than a domain account? I think you're going to struggle on a domain level.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
No.. i cannot create a local account.
That would defeat the whole purpose of Active Directory and organizing all the entities in our domain.

I can't just have ppl logon locally just because I can't figure out somethings about active directory and group policies
 
Upvote 0 Downvote
You could use restricted groups to manage local group membership.


To block applications you can use Run only allowed Windows applications and Don't run specified Windows applications






When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.
 
Upvote 0 Downvote
Now, with visitors coming into our plant
Click to expand...

I assumed this was a one-off or infrequent occurrence.


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.
 
Upvote 0 Downvote
Grenage does have a very good point if this is only for a short time on a few PC's then it would be less hassle to do this locally.





When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.
 
Upvote 0 Downvote
well... again like I said earlier... I don't want to do this locally on any PCs...

Because there are temp workers coming in and out of our plant and they need to logon to any of the 20 computers around the plant floor....

That's why i want to restrict their account access because I would have no idea which computer the temp users would be using

BTW.. thanks for the links porkchopexpress
 
Upvote 0 Downvote
I have a similar situation, you need a combination of tools.

First the workstations, if you can stick in a thin client, the sort you get from Wyse.

Then you have the system launch a terminal server session automatically on boot.

The TS session can be set to launch a specific app based on the login you use on the thin client, this is done on the environment tab on AD.

This login should be part of an OU and you edit the group policy of that OU to tighten things down as far as you like.

For internet you could set the home page to a local page that says internet access is not available. Then use the AD group policy to force a proxy that does not exist e.g. 10.10.10.10 with a port of 8250.

Finally as a just in case you need to create a limited profile, start off with a basic profile and get deleting. On my system if for some reason an admin unticked the setting that launches the app then the user would get a desktop. However, I have it locked down so tight that there are no icons, they can't right click anything and the only options on the menu are logout.

You could achieve the same thing on a PC with AD but the thin client is slicker.

If you do use a PC you may want to segment it off on a different vlan and remove the CD and floppy drive cables, then use bios to disable USB.












 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
264
DrB0b
DrB0b
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
316
goombawaho
goombawaho
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
192
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
222
microsGuy16
microsGuy16
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
96
penguinroundup
penguinroundup

Part and Inventory Search

Sponsor

Back
Top