Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Question about security policy

Status
Not open for further replies.

ditchmagnet

Technical User
Feb 9, 2009
15
US
I have users accessing terminal server remotely, and would like to be able to restrict what they can access during their session. Every user appears to have full control of the system during their session.
I have tried creating a Restricted Users group, then adding a member, then going to C: properties, then to security tab, and un-checking everything. Then I went to just the folders I want them to access and set permissions on them. Once I logged on as the user in the Restricted Users group, they still had access to everything.

What can I do?
 
I figured it out. I basically did everything I already did, but chose deny for list directory contents on C:, then on folders I want the group to access, I unchecked inherit permissions, and set the to modify.

Now one more question, since I cannot create additional containers in AD, is it OK to use a OU? I want to move my groups out of the users container into their own container.

Thanks
 
Groups should have their own OU..you will be fine. I break mine in to seperate OU's (security and DL) Get granular with your AD structure...it really helps in GPO's and finding stuff :)

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.
 
We have seperate OU's for security groups and distribution groups. The security groups has two sub OU's, one for resource groups, one for user roles. On the file systems, we apply ntfs permissions to the resource groups (domain local groups). In AD, we add roll groups (domain groups) as members of the resource groups. When someone gets hired, all we have to do is grant them a role membership. Our resource group names reflect the locations where permissions are applied i.e. rsc_server_share_folder_sub-[f,r,w,m] (full,read,write,modify). The role names reflect the user roles i.e. rol_accounts_receivable.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top