limit user to just 1 network folder

[zuke]

Hello,

Is there a way to use groups to limit a user to just one network directory.
I have W2K AD with two domains, one forrest: one domain is sub to the 'root'
domain.

The goal is to have this one account, which by default, is a member of the
domain users group, logon to just one PC and be able to see just one shared
folder in the network.

This PC will be in a semi-public space, so I do not want the user to see any
of the network resources. There is an ACCESS database that must reside on
the DC to connect to a SQL database.

I can easily restrict access to the one folder, it is preventing the user
from seeing the rest of the network that has me stumped.

Regards,
Zuke

I'm a bit of a newbie. The

 

[Ada Pan [MSFT]]

Hi Zuke,

According to your description, I understand that you want to limit one
domain user to only see one shared folder in the network. If I have
misunderstood your concern, please feel free to let me know.

Based on my experience and research, there is a new feature "Access-based
Enumeration" included with Windows Server 2003 Service Pack 1 can achieve
your goal. This allows users of Windows Server 2003-based file servers to
list only the files and folders to which they have access when browsing
content on the file server. This eliminates user confusion that can be
caused when users connect to a file server and encounter a large number of
files and folders that they cannot access.

However, it cannot be achieved in Windows 2000 AD. To achieve your goal,
you might need to upgrade to Windows 2003 AD.

For more information, please refer to the following article:

Access-based Enumeration
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Booko
fSP1/f04862a9-3e37-4f8c-ba87-917f4fb5b42c.mspx

And you can download it from:

Download: Windows Server 2003 Access-based Enumeration
http://www.microsoft.com/downloads/details.aspx?FamilyID=04a563d9-78d9-4342-
a485-b030ac442084&DisplayLang=en

Please note that this tool is based on folder level, we cannot hide the
domain.

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[zuke]

You know, what can be done is going to each and every share and restrcting
this users' access.

Surely there must be away to accomplish this without visiting the properies
of each and every share on the network.

Its hard to imagine no one else has this need.

Perhaps there is another newsgroup that would be mnore appropriate?

Regards,
Zuke

 

[lforbes]

You know, what can be done is going to each and every share and

restrcting this users’ access. Surely there must be away to
accomplish this without visiting the properies of each and every share
on the network. Its hard to imagine no one else has this need.

Hi,

There is a way to do this which is basically take away all access to
My Network Places. Remove the ability to Map, the command prompt etc.
You can even hide all icons on desktop and have a shell window open.

You can pretty much lock down everything with Group Policy.

Otherwise the only way to do this is to set permissions on the shares
on your server. I do this by default so that the only ones allowed
access are the ones with the need to.

Cheers,

Lara

 

[Ada Pan [MSFT]]

Hello Zuke,

I am sorry to say that we can't achieve your goal that each user can only
see the shared folder that he/she can access while cannot see other shared
folders which they haven't permission to access in Windows 2000 domain.

Of course it is required by many users, so that this Access-based
Enumeration feature is added and becomes available in Windows 2003 SP1.
However, the only way we can do in Windows 2000 domain is to set the
appropriate permissions on each folder.

Hope it helps.

Regards,

Ada Pan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[zuke]

That sounds great.

How does one remove access to My Network Places? I know I can remove it from
the Start Menu, but a savvy (restricted) user can add it right back.

I wouild like to remove access to My Network Places adn to remove the
ability to Map, the command prompt etc.

How do I do this using Group Policy?

Or can you point me to a primer on Group Policy? It seems a little difficult
to use.

Regards,
Zuke