question about Restricting access

[Xerxes]

Hi,
a kind of newbie question:
how can I restrict a user's access to other PCs and shared
files/folders and only give him access to his folders on the server,
the printers and Internet? I thought about disabling his account on
the AD but he needs access to his folders on the server.

Thanks.

 

[Guest]

the theory is this:
- you set up a domain local group and give it access rights to a resource
- you set up a domain global group and put it in to the corresponding domain
local group
- you put users into domain global groups

So if you had a directory called c:\secret and you wanted to give joe bloggs
access to it, but no one else. Create domain local groups called
"secret_L_ro" (for Local Read Only group) and "secret_c" (for Local Change
group), in the folder permissions tab, give those groups the corresponding
rights, ie: change or read only. Then, create domain global groups call
"secret_G_ro" & "secret_G_c". Put these groups into the corrsponding domain
local groups. Make JoeBloggs a member of either the "secret_G_ro" or the
"secret_G_c" group as required.
On teh "secret" folder, check the permissions, remove the everyone group if
it's there.

The principal is exactly the same for printers, except in place of the
"secret" folder, you'll be talking about "yourprinter" printer.


As for the Internet, how are you're suers connecting to the internet at
present??


Iain

 

[Guest]

To simplify this answer. You use NTFS security permissions to grant/deny
permissions to user groups. Sharing a folder/drive will enable you to
configure your NTFS permissions.

 

[Guest]

Drumgod, read the guys post, he's a newbie - you're answer is probably double
dutch to him. That's why I went so far in giving a detailed explanation that
is easily understood.
Judging from his question, it would appear that user groups, permissions,
etc is not something that he has come across as yet or doesn't totally
follow.

So before you start 'simplifying' answers, chek your audience

Iain

 

[Xerxes]

Thanks a lot for your assistance.
What I did was:
- created a group on the server, called it "no_acess"
- removed the user in question from domain users and added him to
"no_access" group
- on his own folders on the server, I added the "no_access" group
- on other folders, I removed "everyone", if it existed and repleaced
with "Domain users". I did the same thing with shared folders and
drives on other users' workstations. I tried it by loggin in as him
and it seems to work. However, being a newbie, I am not sue if I
missed any thing.