Announcement

Collapse
No announcement yet.

granting a user access on a server (2003 sbs) without granting access to server apps

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • granting a user access on a server (2003 sbs) without granting access to server apps

    Basically, i have a need where I need to have a user actually run a 3rd party program on server sbs 2003 directly but we do not want to give that person any access to server controls, server apps etc... just the 1 application they need to run. Is there any way to do that and what permissions/policies do I have to address.

    My concern is that because the program they are running may write to temp folders or need to modify its own registry settings as part of its operation, that the levels of permissions/policy cannot be controlled enough to remove access to the other areas.

    I hope that makes sense but I have not been able to find any similar scenarios here or through a general google search.

    Hope somebody can help .. (btw, the owner is insisting on tryign to get this to work, i think it is absolutely the wrong thing to allow so I don't need to be reminded its a stupid thing to do.).

  • #2
    Re: granting a user access on a server (2003 sbs) without granting access to server a

    Yes, you're right. And yes, it can be done, I think, though have never actually done it! Have a look at this http://www.microsoft.com/downloads/d...displaylang=en which is the Microsoft "Common Scenarios" GPO sample, which can be implemented to make a "kiosk" scenario. Apply this GPO to the user that you have granted logon locally rights to the server. Basically the kiosk allows only one application to run. There is no Start button, and all other ways to get into the system are blocked off, so the user can't do anything harmful, but the application still runs correctly. the sample gives just Internet Explorer as being the one to run, but you can change it to run xyz.exe only.

    There are other scenarios in that set but I think Kiosk is the one for you. Do please test this very thoroughly in a virtual server first, before unleashing it on your production server! I personally use Microsoft Virtual PC 2007 for this purpose, I install an SBS virtual machine and then I can make mistakes and learn as I go without harming real servers.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

    Comment


    • #3
      Re: granting a user access on a server (2003 sbs) without granting access to server a

      One more thing: Do not add the computer to either of the "managed" organisational units. If you have played around with "Common Scenarios" you'll know what that means - there are OUs for computers and OUs for users. Since you are in the unusual situation of doing this at the server, which you are rightly sceptical about, do not add the server to the managed OU as this will cause major problems for everybody who logs onto it (i.e. yourself) as an Administrator.

      I found that simply applying the Kiosk GPO to the user was sufficient to lock him down very tightly, and that there was no need to put the computer into the Highly Managed OU as is recommended. I would revise this opinion in a school environment, or an environment where users may be particularly agressive or abrasive in their PC use, but for your needs, I htink that the Kiosk OU for the user is good enough.
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment

      Working...
      X