Locking Down a Demo User

[Mark]

Good afternoon,

We have a 3 server deployment. The first one(Server1) is
an Active Directory/DNS/Exchange/File Server. The second
(Server2) is an application server. The third(Server3) is
a Terminal Server running on a Windows 2003 Server with
Terminal Server 2003 CALS. We have a demo terminal server
user that at the moment can see shared folders on Server1
and Server2. This user is actively accessing Server1 for
exchange and Server2 for another application. I was just
wondering if it was possible to prevent this user from
viewing shared folders on Server1 and Server2 without
loosing access to exchange and the other application in
Server2. Can this be done at all? I have researched the
issue but all I found was to uninstall file and printer
sharing on Server1 and Server2. I do not wish to go in
that route due to other users will need access to the
network folders at times. Also, I am in no way close to
being a Guru or even an Active Directory Administrator so
I am unfamiliar with GPs. If GPs are the answer, how do I
access the domain group policy. Any help will be
appreciated. Thanks.

Mark

 

[Tomasz Onyszko]

Mark wrote:

network folders at times. Also, I am in no way close to
being a Guru or even an Active Directory Administrator so
I am unfamiliar with GPs. If GPs are the answer, how do I
access the domain group policy. Any help will be
appreciated. Thanks.

yes, the GPO is the answer for your question but not a domain GPO
I think that the best approach will be to create separate OU for the
demo users (it is only one account or many?) and place this user account
in this OU. Then on this OU You can create GPO object (right click on
the OU, properties, Group policy tab) and Edit it. In the User
configuration section You can cut user environment on for this user to a
minimum (disable all unneededmenu options and access to stat menu, set
the desktp and block desktop modification), disabel Run, Disabel contorl
panel and more. Place only two icons on the desktop - for Outlook and
for second application client (or Internet browser if IE is used to
access this application. You can also set a has application restrictio
rule to prevent this user from running other application - for example
Explorer, cmd.exe and other (If he will try to )


Do not modify in this way domain GPO becouse this will apply to all Your
users in AD

 

[Mark]

Wow, Microsoft told me this newsgroup was fast but I didnt
expect this fast of a response...hehe. Thanks alot
Tomasz. Gonna try your suggestion out.

 

[Cary Shultz [A.D. MVP]]

Mark,

If you want to lock down the demo user when he/she is making a Terminal
Server connection then I might suggest that you take a look at the following
MSKB Article:

http://support.microsoft.com/?id=278295

Granted, it is for WIN2000 but it should be close - if not exactly the same
for WIN2003.

That way, this demo user will be locked down when using the Terminal Server
but not when logging on 'normally'.

Now, to answer your question about not accessing ( I think that you used the
term 'viewing' ) shared resources on Server1. I would think that you could
control this via Shared and NTFS permissions. Now, do you mean that you do
not want this demo user to be able to access shared resources or that you do
not want this demo user to even be able to see that these shared resources
exist?

HTH,

Cary

 

[Cary Shultz [A.D. MVP]]

Found the link for locking down a WIN2003 Terminal Server:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/terminal/trmlckd.mspx

HTH,

Cary

 

[Tomasz Onyszko]

Mark,

If you want to lock down the demo user when he/she is making a Terminal
Server connection then I might suggest that you take a look at the following
MSKB Article:

http://support.microsoft.com/?id=278295

Yes, Cary is right about this KB but You have to remeber that this
settings place don the Terminal Server Ou will be applied to all users
accessing terminal sessions on this servers.
Mark in his first post states, as far as I understood, that on this
servera there are regular users whom should not be locked and demo users
whos environment should bo locked down completly. In that case, when he
will follow this KB guidelines he should also bput some ACLs on this GPO
to not affect regular users with it's settings.

But maybe I'm wrong with Marks needs.

 

[Cary Shultz [A.D. MVP]]

Tomasz,

I think that you are correct. I might not have considered everything in his
post. Or not understood exactly what Mark wants / needs. He did state
'view' while I was approaching from an 'access' point-of-reference. I think
that this is the flaw in my response. He ( Mark ) might want to clarify
this. Or maybe there is no need for clarification and I did not get it.
That would not be the first time that this has happened! And will not be
the last, either!

Cary