Solved

Domain User Restriction

Posted on 2006-06-19
9
405 Views
Last Modified: 2008-03-10
Hello,
          I have a windows 2000 domain and need to restrict one user from being able to access the internet and several applications, this user is
a temporary worker and should only access excel while they are here, I have looked under user rights and could not find where this would be implemented, I have not checked under user policy yet but don,t believe this is it either, can anyone please tell me how to restrict a single user to just excel on the domain...


Thanks
0
Comment
Question by:etec
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 42

Assisted Solution

by:zephyr_hex
zephyr_hex earned 150 total points
ID: 16936299
do you often have temp workers?  if not, then it may not be worth the hassle to set up a domain policy.  it may be easier to set up a local account and change the local policy for that one account.  you can then restrict internet access by setting a static IP on the computer and blocking the IP in your router.
0
 
LVL 4

Expert Comment

by:drauch
ID: 16936345
you could create a policy to restrict the users environment (desktop, start menu redirection etc) so they cannot launch IE or other programs.  You could also set a fake proxy server for IE in the policy to prevent access to the internet.  If you are using ISA as your firewall/proxy you can restrict the user account's access to the internet.

Its not the nicest method but it will work.  You could also use what zephyr mentioned by setting a static ip etc.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16936434
You can implement Software Restirction policy on an OU.

Create an OU called(TempUsers) or something.

Move, this userid in this OU.

Then create a Software restriction policy(Disallowed Mode). But be carefull.

Apply this policy to a TestOU first and test it completely.

Here is the link to create Software restriction policy. Create it in disallowed mode.
http://support.microsoft.com/?kbid=310791

After this create a hash rule for the excel.exe file. This will ensure that only this thing works.

Link for hash rule.
http://support.microsoft.com/kb/324036/en-us

But be carefull, if done incorrectly can affect the operating system. If it does, just delete the Group policy from OU.

Make sure that do apply this on OU and not on domain.
0
 
LVL 8

Assisted Solution

by:bilbus
bilbus earned 150 total points
ID: 16936690
You can also just use group policys and have a policy that adds a proxy to Ie, and locks the proxy setting.

Its in user config, internet explorer maintence section

If the user installs another brouser like firefox this will not work

Hex has a good idea
If you can, i would set the router to block all access from that ip address (give user static ip)

If you cant do that, remove the default gateway from the ip address settings
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:etec
ID: 16936929
Hello,
         All good suggestions but this user is not assigned to a particular machine, so blocking the ip address will not work, it would appear i need to create a policy ?, any suggestions on how to do this safely, this is a small company and all of the employess are trusted so we have never implemented something like this and really don,t know how, any advice greatly appreciated...


Thanks.


0
 
LVL 1

Author Comment

by:etec
ID: 16936948
Also,
         We have temp workers come in once every 6 months or so, based on need....
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16936956
you apply the policy i sugested to the user, so it would be applyed to his user account. When user 1 logs in, everthing is normal. When temp guy logs in IE will block internet access.

If the temp uses a computer that somoen else is loged into, there will be no ristrictions
0
 
LVL 8

Expert Comment

by:bilbus
ID: 16936982
well, you would add the temp users to a group called "temp users" and apply the policy to the whole group. That way you dont need to change anything for each user, just make them a member of the group. This will not work for 3rd party brousers .. only IE
0
 
LVL 13

Accepted Solution

by:
prashsax earned 200 total points
ID: 16937193
If you create software restriction policy in disallowed mode.
Any create a rule for Excel only.

Anyways no other software can run.(IExplore or Firefox or anything else).

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
#Citrix #POC #XenDesktop #vCenter #VMware #ESX
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now