Announcement

Collapse
No announcement yet.

User restriction

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User restriction

    Hellow,

    I am runing AD Domain with one Windows Server 2003 Domain Controller, i am working with Group Policy Management console (gpmc).
    I want to allow simple users to work on my Domain Controller with some restrictions, but i dont want the restrictions to be applyed to this users when they are working from their client computers or to the users who logging on to the DC (such as domain admins,server operetors, etc.).
    I should not put this GPO on the Users Container and not in the Domain Controllers Container.
    what should i do?

    thx.

  • #2
    Re: User restriction

    I have to ask why you would want "users" working on your DC? Up / down side looks all DOWN to me. I realize this isn't addressing your query but I had to ask.
    Cheers,

    Rick

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

    Comment


    • #3
      Re: User restriction

      Becouse I have only 12 computers in the domain include the dc server, i have 12 peoples in the office and the 12 people should'nt know he is sitting on the dc.

      Comment


      • #4
        Re: User restriction

        Originally posted by moshik_levi View Post
        Becouse I have only 12 computers in the domain include the dc server, i have 12 peoples in the office and the 12 people should'nt know he is sitting on the dc.
        IMHO you should get another computer. Do you have apps like Office installed on your DC? That's a big no no. The server should be performing server functions, not workstation functions.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: User restriction

          Right on JeremyW. The up / down side of having a user run on your DC versus spending the $1K +/- on a cheapy workstation is a no-brainer.
          Cheers,

          Rick

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          © 2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

          Comment


          • #6
            Re: User restriction

            HERE HERE, no user should be working on the DC.
            Get another computer, the price of a new one will outweight the issues it will cause.
            "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

            Comment


            • #7
              Re: User restriction

              I suppose the only up side is that we could expect moshik_levi to post frequently in the 2000/2003 server forum, thus giving the rest of us more practice.

              Joking aside, the rest of the guys are right of course. Never ever use a DC for such things. From my personal poinnt of view I would never normally use the DC and User in the same sentance. You can end up in a world of trouble. As Jeremy points out get yourself another PC/Workstation it will save you alot of work and headaches in the long run.
              The Univurse is still winning!

              W2K AD, WSUS, RIS 2003. ISA also AVG Server
              ** If contributors help you, recognise them and give reputation points where appropriate **

              Comment


              • #8
                Re: User restriction

                Thx, I will consider buying another PC, but still if i want the same user to have one policy restriction on one computer and another policy restriction on the other computer what should i do? Is it possible?

                Comment


                • #9
                  Re: User restriction

                  Your also going to have to think about changing the defaut domain security policy to grant the user logon rights to the DC, or even worse, add him to the local administrators group on the DC

                  Take everyone's advice and just purchase a new workstation for the user. I'm sure you can pick up a Dell one for around £300 which is nothing to the cost / time involved in fixing your DC when the user decides he doesn't need c:\windows\ntds\NTDS.DIT

                  Michael
                  Michael Armstrong
                  www.m80arm.co.uk
                  MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  Comment


                  • #10
                    Re: User restriction

                    Originally posted by moshik_levi View Post
                    Thx, I will consider buying another PC, but still if i want the same user to have one policy restriction on one computer and another policy restriction on the other computer what should i do? Is it possible?
                    Yes - put the computers in separate OUs with the relevant policies applied to the OUs. Make sure that you use loopback processing if you need to apply "User Only" policies depending on the machine they're logged into.


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: User restriction

                      Originally posted by Stonelaughter View Post
                      Originally posted by moshik_levi View Post
                      Thx, I will consider buying another PC, but still if i want the same user to have one policy restriction on one computer and another policy restriction on the other computer what should i do? Is it possible?
                      Yes - put the computers in separate OUs with the relevant policies applied to the OUs. Make sure that you use loopback processing if you need to apply "User Only" policies depending on the machine they're logged into.
                      The problem here is that the policy will apply to Domain Admins if you enable Loopback Processing. This is just not a feasible situation. Another problem is users have physical access to the DC, so there's a security risk right there. Plus, what apps will need to be installed and will they conflict with the DC's functions? You don't want to be in an unsupported configuration.
                      Regards,
                      Jeremy

                      Network Consultant/Engineer
                      Baltimore - Washington area and beyond
                      www.gma-cpa.com

                      Comment


                      • #12
                        Re: User restriction

                        Originally posted by JeremyW View Post
                        The problem here is that the policy will apply to Domain Admins if you enable Loopback Processing. This is just not a feasible situation. Another problem is users have physical access to the DC, so there's a security risk right there. Plus, what apps will need to be installed and will they conflict with the DC's functions? You don't want to be in an unsupported configuration.
                        Sorry I thought I was talking about the new situation after he's bought a new PC - not the existing situation with a user logged onto a DC.


                        Tom
                        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                        Anything you say will be misquoted and used against you

                        Comment


                        • #13
                          Re: User restriction

                          Originally posted by Stonelaughter View Post
                          Sorry I thought I was talking about the new situation after he's bought a new PC - not the existing situation with a user logged onto a DC.
                          Hmm, yes, I think you might be right on how you read it. (I just reread it )
                          Regards,
                          Jeremy

                          Network Consultant/Engineer
                          Baltimore - Washington area and beyond
                          www.gma-cpa.com

                          Comment

                          Working...
                          X