Sign in with
Sign up | Sign in
Your question

Restrict user interactive access across forest.

Last response: in Windows 2000/NT
Share
Anonymous
June 15, 2005 1:53:56 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

Yesterday the pointy hairs asked me to setup an email account for an
external reseller. We have exchange 2003 so the email and user
accounts are of course the same thing. As far as I am aware there is
no quick and funky method to create a user that can only access his
email and not logon to workstations. The user in question is in a
child domain. I wanted to stop the user logging on interactively
anywhere (except for OWA). So, in the Child Domain Default policy I
added the user to the "deny local logon", "deny logon as a service"
and "deny logon as a batch job". I thought that would be a catchall
for wherever the user tried to logon, however it looks like I am wrong
*grumble*

The child domain in question is in a foreign country. I am physically
seated amongst the parent domain machines. I left the policy to
propogate for a few hours, and then tried to logon locally on one of
our local parent domain machines, and it let me log straight on *more
grumbelling*. I am aware that GPO's do not cross domain boundaries,
i.e. Policys set on the parent domain are not inherited by child
domains, but I presumed that when I logged on as the child domain
user, the child domain policy would be applied to that user where ever
he logged on in the forest. It looks like I am incorrect in that
presumption, can anyone confirm that?

That being the case the only way I can envisage locking this user down
then is to add him to the default GP for all the child domains and the
parent.... Can anyone think of a better way? Or for that matter does
anyone have a good guide on what to do when you only want to give a
user access to the Exchange email facilities?

TIA.

--
Alex Griffin
Anonymous
June 15, 2005 1:53:57 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Why not configure on his user account, under the Account tab, "Log On To..."
and put one workstation in there (put your's... you know he'll never log
onto it)

I don't think that'll keep him from getting into OWA

Just an idea

Ken
"Alex Griffin" <nntpuser@hotmail.com> wrote in message
news:o hqva1dnafvf9qptttjg9h2d7pvpk5cuua@4ax.com...
> Hello,
>
> Yesterday the pointy hairs asked me to setup an email account for an
> external reseller. We have exchange 2003 so the email and user
> accounts are of course the same thing. As far as I am aware there is
> no quick and funky method to create a user that can only access his
> email and not logon to workstations. The user in question is in a
> child domain. I wanted to stop the user logging on interactively
> anywhere (except for OWA). So, in the Child Domain Default policy I
> added the user to the "deny local logon", "deny logon as a service"
> and "deny logon as a batch job". I thought that would be a catchall
> for wherever the user tried to logon, however it looks like I am wrong
> *grumble*
>
> The child domain in question is in a foreign country. I am physically
> seated amongst the parent domain machines. I left the policy to
> propogate for a few hours, and then tried to logon locally on one of
> our local parent domain machines, and it let me log straight on *more
> grumbelling*. I am aware that GPO's do not cross domain boundaries,
> i.e. Policys set on the parent domain are not inherited by child
> domains, but I presumed that when I logged on as the child domain
> user, the child domain policy would be applied to that user where ever
> he logged on in the forest. It looks like I am incorrect in that
> presumption, can anyone confirm that?
>
> That being the case the only way I can envisage locking this user down
> then is to add him to the default GP for all the child domains and the
> parent.... Can anyone think of a better way? Or for that matter does
> anyone have a good guide on what to do when you only want to give a
> user access to the Exchange email facilities?
>
> TIA.
>
> --
> Alex Griffin
>
Anonymous
June 15, 2005 6:07:32 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Wed, 15 Jun 2005 08:44:47 -0400, "Ken B" <none@microsoft.com>
wrote:

>Why not configure on his user account, under the Account tab, "Log On To..."
>and put one workstation in there (put your's... you know he'll never log
>onto it)
>
>I don't think that'll keep him from getting into OWA
>
>Just an idea

Hi Ken,

I did that before going down the GPO route. I just put in a BS name,
and felt very clever with myself, and indeed the user could not logon.
However, unfortunately that included the OWA login. Maybe I should go
back that way though and just add in the exch servers and the relevant
DCs which he should not be able to login to interactively anyway, but
which of course he needs to "logon" to in order for authentication.

--
Alex Griffin
Related resources
Anonymous
June 15, 2005 6:07:33 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

That was going to be my next suggestion, if a garbage workstation name
didn't work.

Not /as/ secure, but it's a solution nonetheless

Ken

"Alex Griffin" <nntpuser@hotmail.com> wrote in message
news:1s90b1td9lnv88rbfdd655f2h40gh4tnt0@4ax.com...
> On Wed, 15 Jun 2005 08:44:47 -0400, "Ken B" <none@microsoft.com>
> wrote:
>
>>Why not configure on his user account, under the Account tab, "Log On
>>To..."
>>and put one workstation in there (put your's... you know he'll never log
>>onto it)
>>
>>I don't think that'll keep him from getting into OWA
>>
>>Just an idea
>
> Hi Ken,
>
> I did that before going down the GPO route. I just put in a BS name,
> and felt very clever with myself, and indeed the user could not logon.
> However, unfortunately that included the OWA login. Maybe I should go
> back that way though and just add in the exch servers and the relevant
> DCs which he should not be able to login to interactively anyway, but
> which of course he needs to "logon" to in order for authentication.
>
> --
> Alex Griffin
>
>
>
>
Anonymous
June 16, 2005 1:04:52 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Wed, 15 Jun 2005 12:52:37 -0400, "Ken B" <none@microsoft.com>
wrote:

>That was going to be my next suggestion, if a garbage workstation name
>didn't work.
>
>Not /as/ secure, but it's a solution nonetheless

Unfortunately no dice here either. That interface only accepts netbios
names, and it seems either it cannot resolve them, or its failing for
some other reason. You cannot put in the full dns name, and the exch
server is unfortunately sited in the forest root domain, rather than
the child domain. I did try adding the netbios names anyway of the
exchange server, the 2 child dcs and the 2 forest root dcs, also tried
their IP addresses, but unfortunately had no luck.

--
Alex Griffin
Anonymous
June 16, 2005 2:36:54 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Thu, 16 Jun 2005 09:04:52 +0100, Alex Griffin
<nntpuser@hotmail.com> wrote:


>You cannot put in the full dns name

Interestingly, the dialog for that option does say that netbios or a
valid dns name are the sort of entries you should put in there, but
the input area only allows 15 characters......*curses netbios*

--
Alex Griffin
!