Archived from groups: microsoft.public.win2000.security (
More info?)
No, you have clarified, not confused things further.
The root issue is "what all does Domain Users grant?"
You may try removing the vendor accounts from Domain
Users, which is certainly possible to do, and see. This
has advantages that Domain Users by default also have
login rights on all joined client machines, which removing
those accounts would bar. However, you have not stated
just what kind of access is allowed for those vendors, so
it is something you need to analyze and provide for, if you
remove them from Domain Users and place them in some
other custom group (which would also need to be their
primary group in order to remove them from DU).
The alternatives are to define a custom domain group for
all non-vendor users and use this in place of DU on those
resources of concern. With this approach you would have
to remember to populate the custom group, and that the
vendor accounts have all accesses granted to DU.
Or, you could just define a custom group for the vendors
and use it to Deny all access to those resources of concern,
and then leave DU as it is to grant for your entitled users.
Of these, I would favor the first, as with the vendor accounts
not in DU, other than what they receive as an Authenticated
Users member (which usually includes internactive login to
joined members of the domain), they would only have access
to precisely what you have provisioned.
I do not follow:
"This would mean I would always add company users to a
group under the ou instead of adding them at the ou level, right? "
User objects should live in the OU appropriate for the GPOs
you want applied to them. If they have membership in some
group, that is a separate, extra thing.
--
Roger
"Sher" <Sher@discussions.microsoft.com> wrote in message
news:9AAD9FEB-4121-45AB-8BD9-608012567B20@microsoft.com...
> Thanks Roger,
> I understand about the group policy settings but I guess what I am asking
is
> I want all my users in a group (except third party vendor logons) so that
I
> can assign rights globally to all my users (like the domain users group
only
> I dont want my third party vendors in that group.) For example I have a
> shared public folder that I want all my users to have access to but I do
not
> want my third party vendors to have access to it. I presently use the
domain
> users group for this. When I setup a user they automatically get added to
> the domain users group. (so when I added third party vendors they were
also
> added to the domain users group) Can I just take them out of that group or
> should I setup a group under ou called all company users and a group
called
> third party vendors? This would mean I would always add company users to
a
> group under the ou instead of adding them at the ou level, right? Sorry
If I
> have confused you even more.
> Sher
>
> "Roger Abell" wrote:
>
> > Let's start by clarifying that you are trying to do two things,
> > and they are done in different ways.
> > To apply group policy differently to separate sets of users
> > it is convenient to place those sets of user objects in different
> > OUs. This is not the only, but a convenient, way to do this.
> > You then link different GPOs to the OUs as desired to effect
> > the settings required.
> > To assign rights and grant privileges, it is convenient to define
> > custom groups and populated these with the users that will
> > be granted the different settings. I find it most convenient to
> > define groups for the resources and/or privileges granted and
> > use these to make those grants. I then define custom groups
> > for the sets of users, and use these to populate the resource
> > and rights granting groups. This has nothing directly to do
> > with group policy except that some grants might be made by
> > using the custom groups in the values set in the rights policies.
> > Where the groups are defined in AD is not relevant for the
> > successful granting of these privileges.
> >
> > --
> > Roger Abell
> > Microsoft MVP (Windows Server System: Security)
> > MCSE (W2k3,W2k,Nt4) MCDBA
> > "Sher" <Sher@discussions.microsoft.com> wrote in message
> > news:AACD2A34-A708-48AF-800C-AFD942B3157E@microsoft.com...
> > > Hi all,
> > > I originally setup all my users under the default users group. I have
a
> > > need to use group polices in a different way so I created two OUs. One
> > called
> > > restricted users and one called unrestricted users.
> > > I want to assign security rights by using these OUs but OUs do not
show
> > up.
> > > So do I need to create a group under the ous and put the users in that
> > group
> > > so that I can assign security rights by groups?
> > > My goal is to be able to assign group polices to different ou users
and to
> > > be able to assign security rights to users in the different ous
instead of
> > > using the group domain users to assign rights. ( I have a need to have
> > vendor
> > > user accounts that are not a member of the domain users group.)
> > > What is the best way to structure for these needs?
> > > Thanks in advance
> > > Sher
> >
> >
> >
Facebook
Twitter
Instagram