compdigit44
asked on
URGENT HELP on Creating Winodws 2000 to locl Down Non-Employee Users
Right now I'm running a Windows 2000 AD domain with 100+ WIdows XP host. I have have a about 12 consultant my company uses to various things. All of these consults do not network accounts. I have placed all of these accounts in there own OU. I need to make sure ALL of all of the consultants have the following restrictions:
1) Only have access to a hand full of network shares and cannot mapp to additional locations
2) CAn not install the AD AdminTools
3) CAnnot search AD or the network in general
Can a GP do this???? please advise
1) Only have access to a hand full of network shares and cannot mapp to additional locations
2) CAn not install the AD AdminTools
3) CAnnot search AD or the network in general
Can a GP do this???? please advise
Domain users can--and have to be able to--query active directory. You can't stop that. They can't modify it without admin permissions, but they can query it.
Otherwise, the above suggestions will work.
Otherwise, the above suggestions will work.
ASKER
What about creating a GP to map these users to specific shares and block them from adding more or browsing the networK?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I know about the permission I'm referring to controlling there user enviroment
What do you want to control? Older versions of Windows server cannot really prevent users from seeing items on the network, if it is set up correctly. Are the users using a shared computer?
ASKER
I want to prevent these users from using network neighbor, mapping network drives...etc..
ASKER
Surely Windows 2000 group policies can do something regarding this ... Please advise..
First, I would create a domain local group for the consultants and add all of their accounts to that group. Modify the shares you would like these folks to access, only specify their group with the desired level of permissions. Configure the deny read permission to all of the others shares they should never be able to access. Keeping the consultants out of the local administrators group will prevent them from installing the admin tools, but if they do not hold any administrative roles in the domain, they can't do much with the tools.