Restrict user interactive access across forest.

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

Yesterday the pointy hairs asked me to setup an email account for an
external reseller. We have exchange 2003 so the email and user
accounts are of course the same thing. As far as I am aware there is
no quick and funky method to create a user that can only access his
email and not logon to workstations. The user in question is in a
child domain. I wanted to stop the user logging on interactively
anywhere (except for OWA). So, in the Child Domain Default policy I
added the user to the "deny local logon", "deny logon as a service"
and "deny logon as a batch job". I thought that would be a catchall
for wherever the user tried to logon, however it looks like I am wrong
*grumble*

The child domain in question is in a foreign country. I am physically
seated amongst the parent domain machines. I left the policy to
propogate for a few hours, and then tried to logon locally on one of
our local parent domain machines, and it let me log straight on *more
grumbelling*. I am aware that GPO's do not cross domain boundaries,
i.e. Policys set on the parent domain are not inherited by child
domains, but I presumed that when I logged on as the child domain
user, the child domain policy would be applied to that user where ever
he logged on in the forest. It looks like I am incorrect in that
presumption, can anyone confirm that?

That being the case the only way I can envisage locking this user down
then is to add him to the default GP for all the child domains and the
parent.... Can anyone think of a better way? Or for that matter does
anyone have a good guide on what to do when you only want to give a
user access to the Exchange email facilities?

TIA.

--
Alex Griffin
5 answers Last reply
More about restrict user interactive access forest
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Why not configure on his user account, under the Account tab, "Log On To..."
    and put one workstation in there (put your's... you know he'll never log
    onto it)

    I don't think that'll keep him from getting into OWA

    Just an idea

    Ken
    "Alex Griffin" <nntpuser@hotmail.com> wrote in message
    news:ohqva1dnafvf9qptttjg9h2d7pvpk5cuua@4ax.com...
    > Hello,
    >
    > Yesterday the pointy hairs asked me to setup an email account for an
    > external reseller. We have exchange 2003 so the email and user
    > accounts are of course the same thing. As far as I am aware there is
    > no quick and funky method to create a user that can only access his
    > email and not logon to workstations. The user in question is in a
    > child domain. I wanted to stop the user logging on interactively
    > anywhere (except for OWA). So, in the Child Domain Default policy I
    > added the user to the "deny local logon", "deny logon as a service"
    > and "deny logon as a batch job". I thought that would be a catchall
    > for wherever the user tried to logon, however it looks like I am wrong
    > *grumble*
    >
    > The child domain in question is in a foreign country. I am physically
    > seated amongst the parent domain machines. I left the policy to
    > propogate for a few hours, and then tried to logon locally on one of
    > our local parent domain machines, and it let me log straight on *more
    > grumbelling*. I am aware that GPO's do not cross domain boundaries,
    > i.e. Policys set on the parent domain are not inherited by child
    > domains, but I presumed that when I logged on as the child domain
    > user, the child domain policy would be applied to that user where ever
    > he logged on in the forest. It looks like I am incorrect in that
    > presumption, can anyone confirm that?
    >
    > That being the case the only way I can envisage locking this user down
    > then is to add him to the default GP for all the child domains and the
    > parent.... Can anyone think of a better way? Or for that matter does
    > anyone have a good guide on what to do when you only want to give a
    > user access to the Exchange email facilities?
    >
    > TIA.
    >
    > --
    > Alex Griffin
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    On Wed, 15 Jun 2005 08:44:47 -0400, "Ken B" <none@microsoft.com>
    wrote:

    >Why not configure on his user account, under the Account tab, "Log On To..."
    >and put one workstation in there (put your's... you know he'll never log
    >onto it)
    >
    >I don't think that'll keep him from getting into OWA
    >
    >Just an idea

    Hi Ken,

    I did that before going down the GPO route. I just put in a BS name,
    and felt very clever with myself, and indeed the user could not logon.
    However, unfortunately that included the OWA login. Maybe I should go
    back that way though and just add in the exch servers and the relevant
    DCs which he should not be able to login to interactively anyway, but
    which of course he needs to "logon" to in order for authentication.

    --
    Alex Griffin
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    That was going to be my next suggestion, if a garbage workstation name
    didn't work.

    Not /as/ secure, but it's a solution nonetheless

    Ken

    "Alex Griffin" <nntpuser@hotmail.com> wrote in message
    news:1s90b1td9lnv88rbfdd655f2h40gh4tnt0@4ax.com...
    > On Wed, 15 Jun 2005 08:44:47 -0400, "Ken B" <none@microsoft.com>
    > wrote:
    >
    >>Why not configure on his user account, under the Account tab, "Log On
    >>To..."
    >>and put one workstation in there (put your's... you know he'll never log
    >>onto it)
    >>
    >>I don't think that'll keep him from getting into OWA
    >>
    >>Just an idea
    >
    > Hi Ken,
    >
    > I did that before going down the GPO route. I just put in a BS name,
    > and felt very clever with myself, and indeed the user could not logon.
    > However, unfortunately that included the OWA login. Maybe I should go
    > back that way though and just add in the exch servers and the relevant
    > DCs which he should not be able to login to interactively anyway, but
    > which of course he needs to "logon" to in order for authentication.
    >
    > --
    > Alex Griffin
    >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    On Wed, 15 Jun 2005 12:52:37 -0400, "Ken B" <none@microsoft.com>
    wrote:

    >That was going to be my next suggestion, if a garbage workstation name
    >didn't work.
    >
    >Not /as/ secure, but it's a solution nonetheless

    Unfortunately no dice here either. That interface only accepts netbios
    names, and it seems either it cannot resolve them, or its failing for
    some other reason. You cannot put in the full dns name, and the exch
    server is unfortunately sited in the forest root domain, rather than
    the child domain. I did try adding the netbios names anyway of the
    exchange server, the 2 child dcs and the 2 forest root dcs, also tried
    their IP addresses, but unfortunately had no luck.

    --
    Alex Griffin
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    On Thu, 16 Jun 2005 09:04:52 +0100, Alex Griffin
    <nntpuser@hotmail.com> wrote:


    >You cannot put in the full dns name

    Interestingly, the dialog for that option does say that netbios or a
    valid dns name are the sort of entries you should put in there, but
    the input area only allows 15 characters......*curses netbios*

    --
    Alex Griffin
Ask a new question

Read More

Policy Domain Email Windows