group policy?

[George Barley]

Hello, and thank you in advance for helping me.

1. Running Windows 2000 Small Business Server.
2. The only server box we have does/is all of the
following: Domain Controller, Exchange server, ISA Server.
3. I need to have people physically log in on that box,
but I don't them to have any (administrative)privileges. I
simply want them to run one application (it's a Printer
software, a RIP (Raster Image Processor).
4. I am a beginner with AD. I understand Group Policy is
the way to do it, but after playing around with
Local/Domain/Site GPOs, I can't but get in a mess. I do
understand the precedence (highest GPO wins), but please
point me in the right direction: where should I start,
should I only mess with the user settings or both user and
computer; which level shoudl I create the GPO at? Anything
else that may help me, since I may not be asking the right
questions.

Thank you very much,
GeBar
(e-mail address removed)

 

[Chriss3]

Hello George you have to do this in the Default Domain Controllers Policy at
the Domain Controllers OU.

Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights\Allow Logon Locally.

Here you should define the group or set of users.

 

[George Barley]

Christoffer,

Thank you.

I am guessing you mean open Active Directory Users and
Computers, right click on the domain (I only have one
domain), select Properties, select the Group Policy tab.
That's where I have only one GPO, called "Default Domain
Policy." But if I do that, those users will have all
privileges, won't they?

I don't think you mean go to Start>Programs>Administrative
Tools>Domain Controller Security Policy, because there I
don't have the options you mentioned ("Computer
Configuration\Windows Settings\Security Settings\Local
Policies\User Rights\Allow Logon Locally")

I appreciate your help.
George (GeBar)

 

[Chriss3]

I meant you should right click the Domain Controllers OU and define it in
the Default Domain Controllers Policy. If you set this policy in Default
Domain Policy it will apply to all computers in your domain.

 

[George Barley]

Chris,

Thank you for your patience.

I went to "Start>Programs>Administrative
Tools>Domain Controller Security Policy." It's already set for "Print
Operators" to be able to log on locally on the domain controller, so I
just added the users I want to give access to that group.

Now, I not only don't want them to modify any Active
Directory/IIS/ISA/Exchange settings, I don't want them to even be
allowed to "see" those. I don't want them to even browse the internet or
do e-mail. I want them to simply be allowed to use one application. How
can I achieve that while not disallowing myself (admin) from those settings.

Thanks again,
George
(e-mail address removed) (get rid of "_nospam" to email me)

 

[Chriss3]

George make a restrict policy and filter out who it applies to, have a look
at the links below.


http://www.microsoft.com/resources/...erv/2003/enterprise/proddocs/en-us/Filter.asp

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx

http://www.jsiinc.com/SUBI/tip4200/rh4231.htm

http://www.jsiinc.com/SUBM/tip6400/rh6420.htm

 

[George Barley]

Chris, thanks.

I understand how to create a new policy for the domain, an OU, or site,
but I want another policy for the Domain Controller, that only applies
when a user logs on physically to the Domain Controller machine. I want
the settings (in that policy) for "Print Operators," for example, to be
different than the settings for the Administrators, Domain Admins groups.

How do I create a new policy for the Domain Controller so I can
differentiate between Admins logging on and "Print Operators" or any
other group I choose?

(To remind you, I want Admins to do whatever they want when logging on
to the Domain Controller, but I also want a small group of users to log
in to the same Domain Controller machine, but be able to only use a
certain application).

Thanks for the patience and advice,
George
(e-mail address removed) (get rid of "_nospam" to email me)