1. Specify Read access for the domain users group the the root drive (commonly C:\)
2. Create a group for the people that will have a home directory and add those users to it.
3. Create a share for the "home" directory anywhere you'd like.
4. Give the group deny list permissions on the security tab but for the share permissions give the same group change and read permissions.
5. Specify the home directory in AD users & Computers specify (properties of user, profile tab) it as \\server name\share name\%username%
the fifth step will automatically create the folder and give that person exclusive permissions.
Friday, September 21, 2007
Wednesday, September 12, 2007
Locking down windows 2003 terminal server
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx
That's where you can download a basic guide to lock everything down. Some things to remember.
You can lock down the server in 3 ways.
a. without active directory and via local group policy which locks everybody out even the administrator.
b. with active directory & loop back processing enabled then configuring user settings so the same user name can log in to a locked down terminal server without interfering with other group policy permissions. (you do this and the c. option with the terminal server inside of an organizational unit). With this option be sure to go into the permissions of the GPO and select deny for the domain administrator or whoever else you'd like to have regular access to the terminal server.
c. with active directory and loop back processing disabled. you should only do this if your users accessing the server are inside of the locked down GPO and they don't need to access any other node on the network with anything other than these permissions. Some people setup different user accounts in this scenario and you would do that if the person needs regular access to other nodes on the network while being locked down on the TS.
This is the only 3 that I'm aware of that you could possibly need. Hope it helps.
One extra setting I noticed for disabling IE access for the users helps because you can still access IE regardless of whether or not you removed the IE icon from the desktop.
Here are the instructions for that
click enable proxy, make sure enable for all protocols is on, the set the server to any non-existant local server (the computer name noserver works fine)
apply the policy
This will just make it so every attempt for a user to access a web page will time out.
That's where you can download a basic guide to lock everything down. Some things to remember.
You can lock down the server in 3 ways.
a. without active directory and via local group policy which locks everybody out even the administrator.
b. with active directory & loop back processing enabled then configuring user settings so the same user name can log in to a locked down terminal server without interfering with other group policy permissions. (you do this and the c. option with the terminal server inside of an organizational unit). With this option be sure to go into the permissions of the GPO and select deny for the domain administrator or whoever else you'd like to have regular access to the terminal server.
c. with active directory and loop back processing disabled. you should only do this if your users accessing the server are inside of the locked down GPO and they don't need to access any other node on the network with anything other than these permissions. Some people setup different user accounts in this scenario and you would do that if the person needs regular access to other nodes on the network while being locked down on the TS.
This is the only 3 that I'm aware of that you could possibly need. Hope it helps.
One extra setting I noticed for disabling IE access for the users helps because you can still access IE regardless of whether or not you removed the IE icon from the desktop.
Here are the instructions for that
Disabled Internet access for users
User Configuration \Windows Settings\Internet explorer maintenace->connection->proxy settings
click enable proxy, make sure enable for all protocols is on, the set the server to any non-existant local server (the computer name noserver works fine)
apply the policy
This will just make it so every attempt for a user to access a web page will time out.
Also, you may want to goto the gpo for:
user configuration\Administrative templates->Windows compnents->Internet explorer and enable to gpo for 'disable changing proxy settings'
Subscribe to:
Posts (Atom)
