Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question about security policy

Status
Not open for further replies.
ditchmagnet

ditchmagnet

Technical User
Feb 9, 2009
15
US
I have users accessing terminal server remotely, and would like to be able to restrict what they can access during their session. Every user appears to have full control of the system during their session.
I have tried creating a Restricted Users group, then adding a member, then going to C: properties, then to security tab, and un-checking everything. Then I went to just the folders I want them to access and set permissions on them. Once I logged on as the user in the Restricted Users group, they still had access to everything.

What can I do?
 
Sort by date Sort by votes
I figured it out. I basically did everything I already did, but chose deny for list directory contents on C:, then on folders I want the group to access, I unchecked inherit permissions, and set the to modify.

Now one more question, since I cannot create additional containers in AD, is it OK to use a OU? I want to move my groups out of the users container into their own container.

Thanks
 
Upvote 0 Downvote
Groups should have their own OU..you will be fine. I break mine in to seperate OU's (security and DL) Get granular with your AD structure...it really helps in GPO's and finding stuff :)

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.
 
Upvote 0 Downvote
We have seperate OU's for security groups and distribution groups. The security groups has two sub OU's, one for resource groups, one for user roles. On the file systems, we apply ntfs permissions to the resource groups (domain local groups). In AD, we add roll groups (domain groups) as members of the resource groups. When someone gets hired, all we have to do is grant them a role membership. Our resource group names reflect the locations where permissions are applied i.e. rsc_server_share_folder_sub-[f,r,w,m] (full,read,write,modify). The role names reflect the user roles i.e. rol_accounts_receivable.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
101
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
HyperV Virtual Switch and Physical NIC question
Replies
3
Views
90
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
General Windows Server Datacenter/Standard Licensing Question
Replies
1
Views
66
DrB0b
DrB0b
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
143
rrmcguire
rrmcguire
Krus1972
  • Locked
  • Question
Web.Config URL Rewrite Question
Replies
0
Views
59
Krus1972
Krus1972

Part and Inventory Search

Sponsor

Back
Top