Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Granting rights from Local user to a different server for security reasons

Posted on 2014-01-30
5
Medium Priority
?
139 Views
Last Modified: 2015-06-23
Having a brain cramp and need help.

I cannot remember how I accomplished this in the past.

Granting outside user (GGuser) access to specific files in 2 directories (folderapp and folderdata on one server Serverlarge in the domain nwtraders.local. Access is through RDP server RemoteToMe

RDP is the preferred method for accessing the network here in the office.

Created user GGuser on the rdp machine (RemoteToMe) as a local user so they have no rights to ANY other server in the domain.

I wanted to grant the local user RemoteToMe/GGuser the rights to the directories on the server Serverlarge.  \\Serverlarge\data\FolderApp and \\Serverlarge\data\FolderData
Probably by mapping drive M to \\Serverlarge\data

I can't seem to do it.

Question is, can it be done?

Or do I need to create a local user on Serverlarge and map the drive that way?

Or is their a better way?
0
Comment
Question by:bobnla
5 Comments
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 2000 total points
ID: 39824332
Hello,

You need to create a local user on Serverlarge with the same username and password as the other server. You will then be able to access the UNC paths without entering credentials.

-JJ
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39824347
With a local user you are effectively running in a workgroup,  not a domain, and you can't grant the account permissions on any other machine. You can either continue to operate in workgroup mode and create the account on every machine you want to grant access to (and handle the password management for all those accounts), or use a domain account instead. What I do for accounts like this is make their primary group something like domain guests or just some created domain global group, and then remove from domain users. This prevents access to things that are (accidentally) granted to the domain users group.
0
 
LVL 65

Expert Comment

by:btan
ID: 39825931
Just to backtrack to the RDP, to give the possibility to user to RDP a target server or machine, you should first permit that user to log on locally to the target.

e.g. Under Local Policies>User Rights Assignment, "Allow logon through Terminal Services" should list the Remote Desktop Users group and not listed in "Deny logon through Terminal Services".

Next, just to also make sure that user is part of the "Remote Desktop Users group". Also since the user can do RDP, it is not necessary it can do local console login. That user must have this ""Allow log on locally" user right to log on over a Remote Desktop Services or Terminal Services session that is running on a Windows-based member computer (or even domain controller).

So coming back, if user is allow to logon locally, then the user should be assuming the rights you set for the folder access accordingly - meaning even without RDP, the user should be able to access from that target machine at the very start..

It may be easily to approach from the target machine joined to domain and enforce via the GPO using the above. There should be something like .../Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment for setting the "Allow log on locally. "

May want to catch these
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx

Configure Permissions for Remote Desktop Services Connections
http://technet.microsoft.com/en-us/library/cc753032.aspx

Permit users to log on locally to a domain controller
http://technet.microsoft.com/en-us/library/cc785165%28WS.10%29.aspx

Configure Client Logon Information for Remote Desktop Services Connections
http://technet.microsoft.com/en-us/library/cc730945.aspx
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40845896
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question