Windows2003\LimitingUserAccess\TS

[Jeff]

I am allowing a user onto my Windows 2003 server, using Terminal
Services. All I want the user to be able to do is get to his directory
on the F drive and be able to add\remove subfolders and files. I
assigned him to the folder and assigned him as a remote operator, but he
has access to control panel and all the drives and folders. How do I
accomplish this?

TIA

 

[Steven L Umbach]

You might look into another way for the user to access the server such as a
mapped drive either on the lan or over a VPN connection. Otherwise you will
have to use ntfs permissions and Group Policy to restrict the user. Group
Policy can be configured locally via gpedit.msc or better yet at the domain
or OU level for domain computers. The problem with local Group Policy is
that by default it applies to ALL users that logon to the computer, though
there are a couple hacks to work around that. For Group Policy in particular
look at settings for restrictions under user configuration/administrative
templates - various categories. For ntfs permissions add the user to a group
with deny permissions or add the user to deny permissions for folders/drives
you do not want him to access OR remove everyone/users from ntfs permissions
[leave administrators/system], assuming no other regular users need access,
for drives and folders you do not want him to access starting at the parent
folder where you want to restrict access. You would then want to check all
folders under the parent folder to see if any have explicit [non inherited]
permissions that need to be modified. Do NOT assign deny permissions to
users however as admins are in the users group. --- Steve

 

[rj]

Steve:

Can I use vpn, with the user accessing the server through an internet
connection?

Thanks

You might look into another way for the user to access the server such as a
mapped drive either on the lan or over a VPN connection. Otherwise you will
have to use ntfs permissions and Group Policy to restrict the user. Group
Policy can be configured locally via gpedit.msc or better yet at the domain
or OU level for domain computers. The problem with local Group Policy is
that by default it applies to ALL users that logon to the computer, though
there are a couple hacks to work around that. For Group Policy in particular
look at settings for restrictions under user configuration/administrative
templates - various categories. For ntfs permissions add the user to a group
with deny permissions or add the user to deny permissions for folders/drives
you do not want him to access OR remove everyone/users from ntfs permissions
[leave administrators/system], assuming no other regular users need access,
for drives and folders you do not want him to access starting at the parent
folder where you want to restrict access. You would then want to check all
folders under the parent folder to see if any have explicit [non inherited]
permissions that need to be modified. Do NOT assign deny permissions to
users however as admins are in the users group. --- Steve

I am allowing a user onto my Windows 2003 server, using Terminal Services.
All I want the user to be able to do is get to his directory on the F drive
and be able to add\remove subfolders and files. I assigned him to the
folder and assigned him as a remote operator, but he has access to control
panel and all the drives and folders. How do I accomplish this?

TIA

 

[Steven L Umbach]

Sure. That is what VPN's are for to securely make a connection across the
internet via an encrypted virtual tunnel. Of course you need a VPN client on
the client and a VPN server or ipsec endpoint device at the other. Any
recent Windows operating system can also work as a VPN server for one
inbound connection and of course Windows Server can accommodate multiple VPN
connections. For a server you use the Remote Access Management Console to
configure your VPN server. You probably would be best off using pptp which
can be very secure as long as mschapv2 authentication is used [Windows
2000/XP client] and a strong password is used for access. The link below can
get you started. --- Steve

http://www.microsoft.com/resources/...2003/standard/proddocs/en-us/sag_vpn_ov02.asp
http://tinyurl.com/4p63b -- same link as above,shorter.

Steve:

Can I use vpn, with the user accessing the server through an internet
connection?

Thanks

You might look into another way for the user to access the server such as
a mapped drive either on the lan or over a VPN connection. Otherwise you
will have to use ntfs permissions and Group Policy to restrict the user.
Group Policy can be configured locally via gpedit.msc or better yet at
the domain or OU level for domain computers. The problem with local Group
Policy is that by default it applies to ALL users that logon to the
computer, though there are a couple hacks to work around that. For Group
Policy in particular look at settings for restrictions under user
configuration/administrative templates - various categories. For ntfs
permissions add the user to a group with deny permissions or add the user
to deny permissions for folders/drives you do not want him to access OR
remove everyone/users from ntfs permissions [leave
administrators/system], assuming no other regular users need access, for
drives and folders you do not want him to access starting at the parent
folder where you want to restrict access. You would then want to check
all folders under the parent folder to see if any have explicit [non
inherited] permissions that need to be modified. Do NOT assign deny
permissions to users however as admins are in the users group. ---
Steve

I am allowing a user onto my Windows 2003 server, using Terminal
Services. All I want the user to be able to do is get to his directory on
the F drive and be able to add\remove subfolders and files. I assigned
him to the folder and assigned him as a remote operator, but he has
access to control panel and all the drives and folders. How do I
accomplish this?

TIA