Solved

URGENT HELP on Creating Winodws 2000 to locl Down Non-Employee Users

Posted on 2009-04-07
8
240 Views
Last Modified: 2012-05-06
Right now I'm running a Windows 2000 AD domain with 100+ WIdows XP host. I have have a about 12 consultant my company uses to various things. All of these consults do not network accounts. I have placed all of these accounts in there own OU. I need to make sure ALL of all of the consultants have the following restrictions:

1) Only have access to a hand full of network shares and cannot mapp to additional locations
2) CAn not install the AD AdminTools
3)  CAnnot search AD or the network in general

Can a GP do this???? please advise
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 24093069
Hi,

First, I would create a domain local group for the consultants and add all of their accounts to that group. Modify the shares you would like these folks to access, only specify their group with the desired level of permissions. Configure the deny read permission to all of the others shares they should never be able to access.  Keeping the consultants out of the local administrators group will prevent them from installing the admin tools, but if they do not hold any administrative roles in the domain, they can't do much with the tools.  

0
 
LVL 15

Expert Comment

by:zelron22
ID: 24093679
Domain users can--and have to be able to--query active directory.  You can't stop that.  They can't modify it without admin permissions, but they can query it.

Otherwise, the above suggestions will work.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24099942
What about creating a GP to map these users to specific shares and block them from adding more or browsing the networK?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 27

Accepted Solution

by:
Jason Watkins earned 500 total points
ID: 24101704
Group policy doesn't really work that way.  GPOs can be used to maps scripts which will give the users access to shares.  Permissions control access to those actual shares.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24101757
I know about the permission I'm referring to controlling there user enviroment
0
 
LVL 27

Expert Comment

by:Jason Watkins
ID: 24103121
What do you want to control? Older versions of Windows server cannot really prevent users from seeing items on the network, if it is set up correctly.  Are the users using a shared computer?  
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24106148
I want to prevent these users from using network neighbor, mapping network drives...etc..
0
 
LVL 20

Author Comment

by:compdigit44
ID: 24163568
Surely Windows 2000 group policies can do something regarding this ... Please advise..
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question