Read-Only Access to the entire server - everything , not just the Files & Folders

N

Norman

Hi,

My senior instructed me to give Read-only access to a small group of people
on one server. However, this access would include "everything" on that
server , ie, not just the read-only permission on file and folders , but
even the OS and system level applications and properties : eventlog,
registry , IIS ,system properties, network properties , control panel
.......EXCEPT they cannot change it.The server is a domain server running
W2k3 SP1.

Is there anyway to achieve this requirement ? I don't think any built-in
groups can do that . Could this be done via GPO ?

Please help !

Norman
 
S

Steven L Umbach

That would not be entirely possible. You can restrict users by using access
control lists for ntfs and registry, group membership, and by user rights.
There are some files such as userinit.exe that would not allow the user to
logon to the computer if they had only read access to the file. Regular
users can configure some control panel items if they can open that control
panel applet.

The best you can do is to make sure the users are no more than regular users
who simply will not have access to all he wants. Restrict access to registry
and folder/files to be read access only for files they do not need to logon
to the computer, access the desktop, and otherwise do their job. You could
add their user group to access control lists with deny permissions for
everything but read which you may have to do with advanced permissions of
ntfs. Limit their user rights which are already quite limited as a regular
user, and use Group Policy to restrict their access to what they do not need
with settings under user configuration/administrative templates.

The other alternative is add their group to the local administrators group
and then try restricting them in the same way though I would consider that a
dangerous option as you ultimately can not restrict a user that is in the
local administrators group that is skilled and determined. --- Steve
 
R

Roger Abell [MVP]

Cannot be accomplished.
Ask your senior to specific to what they should have access and
in what way (remote tools/shares, local login, remote desktop, etc.)
If your senior "grumps" about the looseness/limitations of Windows
that it cannot do this, then ask them to do it with any Unix, where
also it cannot be done as stated by yourself.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Read Only attribute unremovable ?? 1
Admin's Documents are blocked for change on level 1 on my server 1
Unable to remove read-only attribute from files and folders 19
all folders reset to shaded read only 1
Windows XP pro SP2 marks folders as read only (when they are not!) 2
'The current identity does not have write access to Temporary Asp.netFiles 0
Access to folders 5
intepub folders revert to read only 2

Top