Custom Login permissions:

[Eric H, Vela]

Is this even possible?

This is a test scenario I'm trying to create for experimentation: 2000
Server AD Domain with Terminal Services; XP Workstations on Domain with DNS
pointed to server (and server forwarded to ISP DNS) <- This part is done.
It's the user login permissions I need help with.
Built-in Domain Administrator will not be used whenever possible.
User A = Domain Admin; I want this user to be accessible ONLY through
"RunAs"... I don't want this user to be able to log in to any desktop on the
server or workstations.
User B = Domain Guest; Disabled
User C = Domain User; I want this user to access ONLY the server through
either local or Terminal Service login; no workstation access
User D = Domain User; I want this user to access ONLY the workstations as
Power User on the workstations
User E = Domain User; I want this user to access ONLY the workstations as
Power User on the workstations
Users F = Administrator local to workstations

It seems simple, but I'm at a complete loss where to begin. Any advice?

For an added bonus, if there is a way to restrict User A to be "RunAs"
explicitly only from User C, User D, and User E (and *not* Users F), please
let me know how.

Thanks in advance
Eric

 

[Gautam Anand]

Most of what you said is possible! But you would need to test and
re-test and configure and re-configure to get all of the combinations
right without destroying functionality.

The trick here is going to be placing the workstations and Terminal
Servers and Users in appropriate OUs. And then applying the correct
GPOs to them.

Look at Group Policies - User Right Assignment (gpedit.msc - computer
settings - Windows Settings - Security Settings - Local Policies -
User Rights Assignment).......more.....

http://www.microsoft.com/technet/security/topics/issues/w2kccadm/localpol/w2kadm12.mspx

http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/08w2kadb.mspx

http://support.microsoft.com/kb/220019/EN-US/

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/uratopnode.mspx

http://www.google.co.in/search?hl=en&q="user+rights+assignment"+site:microsoft.com&meta=


--
+----------------------------------+
I reply at the news groups only on weekends. If you need to contact
me, Im available on MSN Messenger at heygautam at hotmail
Thanks
Gautam Anand
+----------------------------------+
| Is this even possible?
|
| This is a test scenario I'm trying to create for experimentation:
2000
| Server AD Domain with Terminal Services; XP Workstations on Domain
with DNS
| pointed to server (and server forwarded to ISP DNS) <- This part is
done.
| It's the user login permissions I need help with.
| Built-in Domain Administrator will not be used whenever possible.
| User A = Domain Admin; I want this user to be accessible ONLY
through
| "RunAs"... I don't want this user to be able to log in to any
desktop on the
| server or workstations.
| User B = Domain Guest; Disabled
| User C = Domain User; I want this user to access ONLY the server
through
| either local or Terminal Service login; no workstation access
| User D = Domain User; I want this user to access ONLY the
workstations as
| Power User on the workstations
| User E = Domain User; I want this user to access ONLY the
workstations as
| Power User on the workstations
| Users F = Administrator local to workstations
|
| It seems simple, but I'm at a complete loss where to begin. Any
advice?
|
| For an added bonus, if there is a way to restrict User A to be
"RunAs"
| explicitly only from User C, User D, and User E (and *not* Users F),
please
| let me know how.
|
| Thanks in advance
| Eric
|
|