Local Power Users Group

G

Guest

Currently a user who is in the local Power Users group can open My Network
Places and see all computers and servers listed. When they try to open a
member server or a computer, they are prompted for a network administrators
password. But, they are able to open a domain controller and have Write
access to the domain controller. Is there a way to restrict/disable a Power
User from accessing Domain Controllers on the network? Or better yet,
hide/disable My Network Places for Power Users Group?
Thanks,
GW
 
R

Roger Abell [MVP]

Hiding My Network Places or otherwise crippling the ability
to browse the MS client/server network does not really make
anything unavailable, except browsing the list of what is there.

The issue you have is not that the account is a Power User on
some machine. The issue is what grants exist to the account
of the domain that they are using, or to groups of which it is a
member, and this is so whether we consider the grants on the
domain controllers or on other servers that they access.

Roger
 
G

Guest

Its Ok that it doesn't really make it unavailable. I want to keep a user
from browsing the lists of what is there. Or, if they can browse the list,
make them unable to open the domain controllers and see and access what's on
the drivers. Is the OS capable of doing this and if so, can you give me the
steps to follow to make the changes?
Thanks,
GW
 
R

Roger Abell [MVP]

You cannot prevent them from browsing the list of machines
except by not running the Computer Browser and Workstation
services on the machines that they use.

To prevent them from looking into shares on machines you
need to make sure that they have no grants on those shares.

That means making sure that the account they use, or groups
in which it is a member, have no grants on those shares.
If you have granted that account (or its groups) access, then
you cannot expect the account to have no access. If the account
(or its groups) has no grants, then it will have no access.

The grants can be controlled at either the share level (the
permissions tab on the Sharing dialog) or the NTFS level
(the Security dialog) in the properties of the shared.

Roger
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local Power User on domain 1
Creating a Power Users Group where none exists 4
Which registry key stores profiles of local machine users 1
Setting local machine permissions via GPO 2
How to disable domain administrator get local administrators group ? 3
Users should not shutdown or restart servers 2
Removing Sharing & Security tabs from the Group Policy 3
Privilages - how to set it? 1

Top