remove from eveyone group

[Andrew]

Hi everyone,

I need to have a user account that has no access to
anywhere on the network apart from 1 area, i have removed
from domain users but can still browse some shares and
intranet etc....I'd rather not resrict access on all our
shares and servers for 1 user as i would still be ehre
next year doping it, whats the quick way to do this?

Any help much appreciated

 

[Herb Martin]

You cannot do remove anyone from the "Everyone" group -- Windows doesn't
work this way.

'Everyone' is among the 'special groups' which might better be termed
'automatic groups';
the OS automatically checks everyone against the privileges and restrictions
on this group
as it does all local users using "interactive", network users using
"network", etc.

I need to have a user account that has no access to
anywhere on the network apart from 1 area, i have removed
from domain users but can still browse some shares and
intranet etc....

The real problem is the extraneous permissions given to Everyone --
sometimes by the
OS and sometimes by Admins.

A best practice -- seldom followed -- is to remvove ALL (or almost all)
references which
grant "Everyone" permissions. You can use SubInAcl.exe (resource kit) to
SUBstitute
another group INstead. Make sure you add all "trusted" users to this new
group.

Also consider that if you really care about security, then only limited
resources should be
assigned this way but rather specific groups for functional areas
(secretaries, programmers),
deparartments (engineering, manufacturing), or projects should be used to
grant access.

I'd rather not resrict access on all our
shares and servers for 1 user as i would still be ehre
next year doping it, whats the quick way to do this?

Don't give an untrusted user access or set your permissions to reflect that
untrusted users
are allowed in the environment -- in other words do it right instead of
band-aiding it. (See above.)