dwesolowicz
asked on
Create read only user in AD that can not connect to any connect to any shares
Experts,
We are working with a vendor that hosts Sharepoint. We are planning to set up a one way trust from our doamin (with an ipsec tunnel), so that our users can authenticate to the hosted Sharepoint site. I have to share a domain user name and passoword with the vendor, to complet the AD integration.
My concern is that this user will be part of the domain users group, have visability to the shares on the network, and the third party vendor will know the password.
Is there a way to set up a user in AD that is read only and can not hit any of the shares on the network? Would I have to go to each server providing network resources and deny this one user access to the drives on the server?
Thank you in advance
We are working with a vendor that hosts Sharepoint. We are planning to set up a one way trust from our doamin (with an ipsec tunnel), so that our users can authenticate to the hosted Sharepoint site. I have to share a domain user name and passoword with the vendor, to complet the AD integration.
My concern is that this user will be part of the domain users group, have visability to the shares on the network, and the third party vendor will know the password.
Is there a way to set up a user in AD that is read only and can not hit any of the shares on the network? Would I have to go to each server providing network resources and deny this one user access to the drives on the server?
Thank you in advance
add that user to its own security group and don't give that security group access to the shares
ASKER
Sorry for the delay and thanks for the reply. I tried your suggestion and it worked just fine.
The only concern is that they still have access to the sysvol folder on the DC. Should a deny permission be set up on the sysvol folder for this specific user?
The only concern is that they still have access to the sysvol folder on the DC. Should a deny permission be set up on the sysvol folder for this specific user?
If you want but sysvol is used for a lot of things ie. Group policy
> I tried your suggestion and it worked just fine
Who's suggestion, there were two :)
About sysvol: what do you fear he could get his hands at? I assume you don't know what's inside? Then please consult Microsoft TechNet to get an impression.
Who's suggestion, there were two :)
About sysvol: what do you fear he could get his hands at? I assume you don't know what's inside? Then please consult Microsoft TechNet to get an impression.
Its not better idea to modify permissions on Sysvol. please keep it as is.
Sysvol is the folder where all users and computers are looking for domain policies
Its already shared as read only for standard users
If you set deny perms on Sysvol, i believe you will break basic connectivity to domain for those user accounts
Mahesh
Sysvol is the folder where all users and computers are looking for domain policies
Its already shared as read only for standard users
If you set deny perms on Sysvol, i believe you will break basic connectivity to domain for those user accounts
Mahesh
ASKER
Sorry for the delay.....was out sick for severeal days. MckKnife's suggestion was the first to be used. I am aware of whats inside, and have used several policy scripts to create new local admin users. These scripts contain passwords for those newly created local users in plain text. My thouhgts were that if found, you would then have a user that could log into a device as a local admin.
One thing I could do would be to deny access to this specific policy from the thrid party vendor. Or, after I make the global local user change anc confirm it has been applied, delete the policy al together.
Just do not want to leave access to an area where someone could determine credetials of a user.
One thing I could do would be to deny access to this specific policy from the thrid party vendor. Or, after I make the global local user change anc confirm it has been applied, delete the policy al together.
Just do not want to leave access to an area where someone could determine credetials of a user.
> These scripts contain passwords for those newly created local users in plain text. My thouhgts were that if found, you would then have a user that could log into a device as a local admin.
Those scripts are start scripts and get executed by the computer accounts, not the user accounts. They are not readable for non-admins.
Those scripts are start scripts and get executed by the computer accounts, not the user accounts. They are not readable for non-admins.
ASKER
Thanks for the reply. I guess I have two scenarios here:
1. If I log in as a user that is part of the domain user group, this particular user is able to see the policies in sysvol. If they started to click on the unique id's the sysvol share policies, they can navigate to the user folder, scripts, and logon.
I have a logon script that runs so that when a user logs on, it adds a new user to the local admin group. If they right click the script and select edit, you can see the code and password in the script.
I also looked at a computer account gpo, and was able to look at the sysvol\uid\machine\scripts \startup, and could view the script with no problem.
2. If a user logs in as a local admin, they would have to provide credentials to gain access.
Where are the permissions being controlled so that domain users are unable to see sysvol computer account data?
1. If I log in as a user that is part of the domain user group, this particular user is able to see the policies in sysvol. If they started to click on the unique id's the sysvol share policies, they can navigate to the user folder, scripts, and logon.
I have a logon script that runs so that when a user logs on, it adds a new user to the local admin group. If they right click the script and select edit, you can see the code and password in the script.
I also looked at a computer account gpo, and was able to look at the sysvol\uid\machine\scripts
2. If a user logs in as a local admin, they would have to provide credentials to gain access.
Where are the permissions being controlled so that domain users are unable to see sysvol computer account data?
"I have a logon script that runs so that when a user logs on, it adds a new user to the local admin group." - No, I bet you don't have that. Logon scripts run with user privileges. Users CANNOT add other users to certain groups. It would need to be a startup script and that's unreadable for users.
Please let's clear that up, first.
Please let's clear that up, first.
ASKER
I my appologies...... my oversight.......you are correct. I have a startup script that is used. This script is located in GP under computer configuration, policies, windows settings,scripts startup.
Is there a way to protect sysvol from being viewed from a specific domain user?
Is there a way to protect sysvol from being viewed from a specific domain user?
ASKER
Perhaps I should just protect the specific policies that contain username and password info?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is a GPO that you could distribute: http://technet.microsoft.com/en-us/library/cc758316(v=ws.10).aspx - wherever it applies, that user cannot use shares nor network logons.