Solved

Granting rights from Local user to a different server for security reasons

Posted on 2014-01-30
5
103 Views
Last Modified: 2015-06-23
Having a brain cramp and need help.

I cannot remember how I accomplished this in the past.

Granting outside user (GGuser) access to specific files in 2 directories (folderapp and folderdata on one server Serverlarge in the domain nwtraders.local. Access is through RDP server RemoteToMe

RDP is the preferred method for accessing the network here in the office.

Created user GGuser on the rdp machine (RemoteToMe) as a local user so they have no rights to ANY other server in the domain.

I wanted to grant the local user RemoteToMe/GGuser the rights to the directories on the server Serverlarge.  \\Serverlarge\data\FolderApp and \\Serverlarge\data\FolderData
Probably by mapping drive M to \\Serverlarge\data

I can't seem to do it.

Question is, can it be done?

Or do I need to create a local user on Serverlarge and map the drive that way?

Or is their a better way?
0
Comment
Question by:bobnla
5 Comments
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 39824332
Hello,

You need to create a local user on Serverlarge with the same username and password as the other server. You will then be able to access the UNC paths without entering credentials.

-JJ
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 39824347
With a local user you are effectively running in a workgroup,  not a domain, and you can't grant the account permissions on any other machine. You can either continue to operate in workgroup mode and create the account on every machine you want to grant access to (and handle the password management for all those accounts), or use a domain account instead. What I do for accounts like this is make their primary group something like domain guests or just some created domain global group, and then remove from domain users. This prevents access to things that are (accidentally) granted to the domain users group.
0
 
LVL 61

Expert Comment

by:btan
ID: 39825931
Just to backtrack to the RDP, to give the possibility to user to RDP a target server or machine, you should first permit that user to log on locally to the target.

e.g. Under Local Policies>User Rights Assignment, "Allow logon through Terminal Services" should list the Remote Desktop Users group and not listed in "Deny logon through Terminal Services".

Next, just to also make sure that user is part of the "Remote Desktop Users group". Also since the user can do RDP, it is not necessary it can do local console login. That user must have this ""Allow log on locally" user right to log on over a Remote Desktop Services or Terminal Services session that is running on a Windows-based member computer (or even domain controller).

So coming back, if user is allow to logon locally, then the user should be assuming the rights you set for the folder access accordingly - meaning even without RDP, the user should be able to access from that target machine at the very start..

It may be easily to approach from the target machine joined to domain and enforce via the GPO using the above. There should be something like .../Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment for setting the "Allow log on locally. "

May want to catch these
“Allow Logon through Terminal Services” group policy and “Remote Desktop Users” group
http://blogs.technet.com/b/askperf/archive/2011/09/09/allow-logon-through-terminal-services-group-policy-and-remote-desktop-users-group.aspx

Configure Permissions for Remote Desktop Services Connections
http://technet.microsoft.com/en-us/library/cc753032.aspx

Permit users to log on locally to a domain controller
http://technet.microsoft.com/en-us/library/cc785165%28WS.10%29.aspx

Configure Client Logon Information for Remote Desktop Services Connections
http://technet.microsoft.com/en-us/library/cc730945.aspx
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40845896
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now