?
Solved

Windows Server 2008 R2 Standard Permissions

Posted on 2013-10-28
10
Medium Priority
?
320 Views
Last Modified: 2014-01-15
I have a server running Win Server 2008 R2. It is NOT setup on a domain. I need to setup remote desktop rights to this person. They need to access the server through RDP, and be able to open just a couple programs. I am trying to do a few things:

1. Restrict access to Computer Management (and all other admin programs)
2. They need access to a couple programs. They need to be able to open the program, but I don't want them to have access to the files in windows explorer. I don't want them to be able to see and/or copy those files that pertain to the program they need to open.
3. Other than those few programs the need to open, I don't want them to have access to any other program.
4. I don't want them to have access to any folders on the C drive. They will need to be able to open programs, as mentioned in #2, but I don't want them to be able to browse to the files through the C drive.

How would I accomplish this? Thanks!!!
0
Comment
Question by:brasiman
  • 7
  • 3
10 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39607387
You need to enable Allow log on through Remote Desktop Services policy locally or add user to Remote Desktop user group.By default Remote Desktop user group is configured in Remote Desktop Services policy.

You can define policy as per requirement to block C drive access see this:http://www.howtogeek.com/howto/8035/

Dont add the user to local admin group by default they cannot edit any system configuration.
0
 

Author Comment

by:brasiman
ID: 39607638
That blocked them from seeing any of the drives, but they can still see Computer Management, which allows them to see all the users, change pw's, etc. They have access to the Remote Desktop Users only. How do I block them from Computer Management and other admin functions?
0
 

Author Comment

by:brasiman
ID: 39607651
That also blocks access to the C drive for everyone, including the Administrator. How do i specify access to just one user, or non-administrators? Then, how to I restrict Computer Management and other admin functions for this one user?
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:brasiman
ID: 39608866
Thanks Sandeshudubey for your suggestion? Any other thoughts about my two replies above?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39609487
As this policy is machine based it will block all users including admin,alternately you can create group add the non admin users to this group and deny access to local drive to this group.
0
 

Author Comment

by:brasiman
ID: 39609687
I created a group called Non-Admin, assigned this user to the group. How do I restrict access to the C Drive, so they can't browse, but allow them to open some programs installed on the C drive. There are also a few folders on the C drive i want them to have access to.
0
 

Author Comment

by:brasiman
ID: 39609709
At the same time, they can't have access to computer mgmt, etc.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1500 total points
ID: 39609888
You can refer this to block Computer Management MMC:
http://www.sevenforums.com/tutorials/114739-computer-management-mmc-snap-enable-disable.html

Regarding the permission it will be difficult to exclude the folder if you apply the deny access to drives.
0
 

Author Comment

by:brasiman
ID: 39611753
Ok. So the order of priorities are this:
1. Restrict non-admin users from Computer Management, and other admin functions like that.
2. Restrict access to certain folders on the C Drive,
2a. But in some cases allow programs on the C drive to be run without access to the actual directory.

How would I accomplish #1? I have added these users to a group called Non-Administrators. They is the ONLY group they pertain to. What do I do next?
0
 

Author Closing Comment

by:brasiman
ID: 39784045
This is a tough one. But thanks for the help.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question