?
Solved

Windows Server 2008 R2 Standard Permissions

Posted on 2013-10-28
10
Medium Priority
?
317 Views
Last Modified: 2014-01-15
I have a server running Win Server 2008 R2. It is NOT setup on a domain. I need to setup remote desktop rights to this person. They need to access the server through RDP, and be able to open just a couple programs. I am trying to do a few things:

1. Restrict access to Computer Management (and all other admin programs)
2. They need access to a couple programs. They need to be able to open the program, but I don't want them to have access to the files in windows explorer. I don't want them to be able to see and/or copy those files that pertain to the program they need to open.
3. Other than those few programs the need to open, I don't want them to have access to any other program.
4. I don't want them to have access to any folders on the C drive. They will need to be able to open programs, as mentioned in #2, but I don't want them to be able to browse to the files through the C drive.

How would I accomplish this? Thanks!!!
0
Comment
Question by:brasiman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
10 Comments
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39607387
You need to enable Allow log on through Remote Desktop Services policy locally or add user to Remote Desktop user group.By default Remote Desktop user group is configured in Remote Desktop Services policy.

You can define policy as per requirement to block C drive access see this:http://www.howtogeek.com/howto/8035/

Dont add the user to local admin group by default they cannot edit any system configuration.
0
 

Author Comment

by:brasiman
ID: 39607638
That blocked them from seeing any of the drives, but they can still see Computer Management, which allows them to see all the users, change pw's, etc. They have access to the Remote Desktop Users only. How do I block them from Computer Management and other admin functions?
0
 

Author Comment

by:brasiman
ID: 39607651
That also blocks access to the C drive for everyone, including the Administrator. How do i specify access to just one user, or non-administrators? Then, how to I restrict Computer Management and other admin functions for this one user?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:brasiman
ID: 39608866
Thanks Sandeshudubey for your suggestion? Any other thoughts about my two replies above?
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39609487
As this policy is machine based it will block all users including admin,alternately you can create group add the non admin users to this group and deny access to local drive to this group.
0
 

Author Comment

by:brasiman
ID: 39609687
I created a group called Non-Admin, assigned this user to the group. How do I restrict access to the C Drive, so they can't browse, but allow them to open some programs installed on the C drive. There are also a few folders on the C drive i want them to have access to.
0
 

Author Comment

by:brasiman
ID: 39609709
At the same time, they can't have access to computer mgmt, etc.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1500 total points
ID: 39609888
You can refer this to block Computer Management MMC:
http://www.sevenforums.com/tutorials/114739-computer-management-mmc-snap-enable-disable.html

Regarding the permission it will be difficult to exclude the folder if you apply the deny access to drives.
0
 

Author Comment

by:brasiman
ID: 39611753
Ok. So the order of priorities are this:
1. Restrict non-admin users from Computer Management, and other admin functions like that.
2. Restrict access to certain folders on the C Drive,
2a. But in some cases allow programs on the C drive to be run without access to the actual directory.

How would I accomplish #1? I have added these users to a group called Non-Administrators. They is the ONLY group they pertain to. What do I do next?
0
 

Author Closing Comment

by:brasiman
ID: 39784045
This is a tough one. But thanks for the help.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question