Solved

URGENT HELP on Creating Winodws 2000 to locl Down Non-Employee Users

Posted on 2009-04-07
8
235 Views
Last Modified: 2012-05-06
Right now I'm running a Windows 2000 AD domain with 100+ WIdows XP host. I have have a about 12 consultant my company uses to various things. All of these consults do not network accounts. I have placed all of these accounts in there own OU. I need to make sure ALL of all of the consultants have the following restrictions:

1) Only have access to a hand full of network shares and cannot mapp to additional locations
2) CAn not install the AD AdminTools
3)  CAnnot search AD or the network in general

Can a GP do this???? please advise
0
Comment
Question by:compdigit44
  • 4
  • 3
8 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 24093069
Hi,

First, I would create a domain local group for the consultants and add all of their accounts to that group. Modify the shares you would like these folks to access, only specify their group with the desired level of permissions. Configure the deny read permission to all of the others shares they should never be able to access.  Keeping the consultants out of the local administrators group will prevent them from installing the admin tools, but if they do not hold any administrative roles in the domain, they can't do much with the tools.  

0
 
LVL 15

Expert Comment

by:zelron22
ID: 24093679
Domain users can--and have to be able to--query active directory.  You can't stop that.  They can't modify it without admin permissions, but they can query it.

Otherwise, the above suggestions will work.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24099942
What about creating a GP to map these users to specific shares and block them from adding more or browsing the networK?
0
 
LVL 27

Accepted Solution

by:
Jason Watkins earned 500 total points
ID: 24101704
Group policy doesn't really work that way.  GPOs can be used to maps scripts which will give the users access to shares.  Permissions control access to those actual shares.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24101757
I know about the permission I'm referring to controlling there user enviroment
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 24103121
What do you want to control? Older versions of Windows server cannot really prevent users from seeing items on the network, if it is set up correctly.  Are the users using a shared computer?  
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24106148
I want to prevent these users from using network neighbor, mapping network drives...etc..
0
 
LVL 19

Author Comment

by:compdigit44
ID: 24163568
Surely Windows 2000 group policies can do something regarding this ... Please advise..
0

Join & Write a Comment

Suggested Solutions

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now