Solved

Domain User Restriction

Posted on 2006-06-19
9
406 Views
Last Modified: 2008-03-10
Hello,
          I have a windows 2000 domain and need to restrict one user from being able to access the internet and several applications, this user is
a temporary worker and should only access excel while they are here, I have looked under user rights and could not find where this would be implemented, I have not checked under user policy yet but don,t believe this is it either, can anyone please tell me how to restrict a single user to just excel on the domain...


Thanks
0
Comment
Question by:etec
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 42

Assisted Solution

by:zephyr_hex (Megan)
zephyr_hex (Megan) earned 150 total points
ID: 16936299
do you often have temp workers?  if not, then it may not be worth the hassle to set up a domain policy.  it may be easier to set up a local account and change the local policy for that one account.  you can then restrict internet access by setting a static IP on the computer and blocking the IP in your router.
0
 
LVL 4

Expert Comment

by:drauch
ID: 16936345
you could create a policy to restrict the users environment (desktop, start menu redirection etc) so they cannot launch IE or other programs.  You could also set a fake proxy server for IE in the policy to prevent access to the internet.  If you are using ISA as your firewall/proxy you can restrict the user account's access to the internet.

Its not the nicest method but it will work.  You could also use what zephyr mentioned by setting a static ip etc.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16936434
You can implement Software Restirction policy on an OU.

Create an OU called(TempUsers) or something.

Move, this userid in this OU.

Then create a Software restriction policy(Disallowed Mode). But be carefull.

Apply this policy to a TestOU first and test it completely.

Here is the link to create Software restriction policy. Create it in disallowed mode.
http://support.microsoft.com/?kbid=310791

After this create a hash rule for the excel.exe file. This will ensure that only this thing works.

Link for hash rule.
http://support.microsoft.com/kb/324036/en-us

But be carefull, if done incorrectly can affect the operating system. If it does, just delete the Group policy from OU.

Make sure that do apply this on OU and not on domain.
0
 
LVL 8

Assisted Solution

by:bilbus
bilbus earned 150 total points
ID: 16936690
You can also just use group policys and have a policy that adds a proxy to Ie, and locks the proxy setting.

Its in user config, internet explorer maintence section

If the user installs another brouser like firefox this will not work

Hex has a good idea
If you can, i would set the router to block all access from that ip address (give user static ip)

If you cant do that, remove the default gateway from the ip address settings
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:etec
ID: 16936929
Hello,
         All good suggestions but this user is not assigned to a particular machine, so blocking the ip address will not work, it would appear i need to create a policy ?, any suggestions on how to do this safely, this is a small company and all of the employess are trusted so we have never implemented something like this and really don,t know how, any advice greatly appreciated...


Thanks.


0
 
LVL 1

Author Comment

by:etec
ID: 16936948
Also,
         We have temp workers come in once every 6 months or so, based on need....
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16936956
you apply the policy i sugested to the user, so it would be applyed to his user account. When user 1 logs in, everthing is normal. When temp guy logs in IE will block internet access.

If the temp uses a computer that somoen else is loged into, there will be no ristrictions
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16936982
well, you would add the temp users to a group called "temp users" and apply the policy to the whole group. That way you dont need to change anything for each user, just make them a member of the group. This will not work for 3rd party brousers .. only IE
0
 
LVL 13

Accepted Solution

by:
prashsax earned 200 total points
ID: 16937193
If you create software restriction policy in disallowed mode.
Any create a rule for Excel only.

Anyways no other software can run.(IExplore or Firefox or anything else).

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now