Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting windows domain access

Status
Not open for further replies.

StaplesMan

Technical User
Mar 8, 2006
123
US
As I have learned over the years in IT ways of doing things seem to change and migrate.

When I first started working with Windows XP in a domain environment and I only wanted the billing department to be able to log into there computers. I would remove the default "authenticated users", "interactive", and "Domain users" out of the users group. I would then put the group I wanted to allow onto that system "Billing" group and leave the administrative group with local "administrator" and "domain admins".

Have done this for years and have had 0 problems! Very secure and works all the time.

Then along comes Windows 7 and UAC and let's just say the first Win7 system I got I did exactly the same as my WinXP friends and all worked perfectly for my users but the administrators could not do anything! I quickly realized that because I took "athenticated users" and "interactive" out of the users list when I log in as an administrator I can no longer run programs because I can't run as a normal user.

Now this has crated a big problem!

I know there are ways via Group Policy's to do what I'm looking for but I'm looking for a quick and simple fix on the desktop it's self to allow me to lock the system down so our billing offices only has access at a user level to log onto the computer. And the domain admins will have administrative and user access to the system.

The only way I know how to do double add all the administrators also to the users group.

Just to clarify I have removed "domain users" and left "authenticated users" and "interactive" any domain user can still log on. I'm not sure what the need to have "domain users" by default is. But I have to take both "authenticated users" and "interactive" out of the users group and then add "billing" to block everyone else and allow only billing. But then administrators can work.

Is there any other way?

Thanks in advance.


CCNA, A+, HP Certified Professional
 
I have moved it. Thanks

CCNA, A+, HP Certified Professional
 
in W2k8 and W7, you most likely have to ADD those Users/Groups that you DO NOT want access to each share and DENY them access explicitly...

that has worked for me at a Retirement Home that has a mixed OS environment...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top