Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Remote Plant Manager Administrative Logon

Remote Plant Manager Administrative Logon

Forum Windows 2000/NT : Windows 2000/NT General Discussion - Remote Plant Manager Administrative Logon

Tom's Hardware: Over 1.4 million members in 6 different countries available to answer all your high-tech questions. Sign up now! Its free!
Ask the community Add a reply
Word :    Username :           
 
Anonymous   02-23-2005 at 04:08:35 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

 

I have a plant manager at one of our remote sites that has managed to
convince the powers that be, against my reccomendations, that he needs to be
able to logon to the server at his plant (Server 2003 Std, DC, GC, DFS
Replica Partner) it's a small plant with less then 10 users so this is the
only server. This plant is tied into the main corperate network via VPN, so
to give him access to this server, means network wide access.

I have tried to implement "Hack 74" from O'Reilly's latest Windows Server
Hacks (http://www.oreilly.com/catalog/winsvrhks/chapter/hack74.pdf) but when
I try to logon to the server as a "AD restricted user, I get an access
denied error... I have tried to change various permissions settings for the
restricted user group, but am having no luck getting things to work
correctly.

I am seeing very odd permissions being deligated throughout the system. For
instance, I set nearly everything but a few read permissions, to deny at the
top level of AD for this group, and set it to apply to this object and all
child objects, when I look at the effective permissions, everything is
correct except for no matter what I do, I can not get it to deny the modify
permissions property. when I drill down to the main OU that contains all the
remote plant accounts, I look at another effective permission, and it shows
that the same user account, which is a menber of the restricted group, has
full controll when looking at the effective permissions.

The way it looks, the explicit deny entries are getting overwritten by the
Domain Admins group explicit Allow Permissions (the restricted admin group
is a member of the domain admin group). why would an explicit deny, not take
precidence over a transitavly inherrited explicit allow? it does everywhere
else!

has anyone actually implemented this, or any similar restriction for a
remote office before? if so, how did you do it, and what problems did you
run into?

Add a reply
Sponsored Links
Register or log in to remove.
Ask the community Add a reply
Tom's Hardware > Forum > Windows 2000/NT > Windows 2000/NT General Discussion > Remote Plant Manager Administrative Logon
Go to:

There are 1311 identified and unidentified users. To see the list of identified users, Click here.

Forum map
Bestofmedia Forum ©
2000-2009 Bestofmedia Group
Page generated in 2.528 seconds
Please mind

You are about to answer a thread that has been inactive for more than 6 months.
If you still wish to proceed, please ensure that your posting is original and does not duplicate or overlap any prior responses to this thread.

Add a reply Cancel
Sponsored links
  • Ask the community now
  • Publish
Ad
Related Topics
See all relatives topics
They won a badge
Join us in greeting them
How do I win badges?