Disable everything except for a web site authentication.

Archived from groups: microsoft.public.win2000.security (More info?)

All,

How can I configure a OU with GPO setting that would disable a user from
every right except for authenticating to a web site.

We have a sharepoint installation for extranet use. Partners will be created
under a OU, and we wish to restrict these users from accessing any resources
in the network. These users should not be able to logon to the network, and
access any resources that would normally be accessible to domain users. We
plan to use GPO to achieve this security requirement.

This is an interim solution until we get a partner domain setup with one way
trusts to our network.
Please help me find template files or so to achieve this.
Thanks,
Vamsi
6 answers Last reply
More about disable site authentication
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    This may not work depending on where the web mediated interfaces
    connect, but have you considered use of machine local accounts for
    them until you have implemented the extranet forest ?
    How will they get to the sharepoint machine? If you control well the
    ports routed to this from the open internet (which I assume is where
    they will be coming from) then they are pretty much limited to what
    the web interfaces will do for them via http/https (just do not grant
    anything more that sharepoint browser role).

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
    "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    news:BC3C270A-F0C9-4707-874F-38EEE5251426@microsoft.com...
    > All,
    >
    > How can I configure a OU with GPO setting that would disable a user from
    > every right except for authenticating to a web site.
    >
    > We have a sharepoint installation for extranet use. Partners will be
    > created
    > under a OU, and we wish to restrict these users from accessing any
    > resources
    > in the network. These users should not be able to logon to the network,
    > and
    > access any resources that would normally be accessible to domain users. We
    > plan to use GPO to achieve this security requirement.
    >
    > This is an interim solution until we get a partner domain setup with one
    > way
    > trusts to our network.
    > Please help me find template files or so to achieve this.
    > Thanks,
    > Vamsi
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    If users should not be able to logon to the domain then they can not access
    domain computers without domain accounts and they can not be in an OU.

    Otherwise if they are going to be domain users, you could use ipsec
    filtering policy to manage what computers on the network they can access if
    you can put all their computers into the OU as ipsec is a computer
    configuration policy. The link below explains ipsec filtering more.

    http://www.securityfocus.com/infocus/1559

    If you only have control over domain users and not the computers or if the
    users are not restricted to particular computers you can add those users to
    a global group and then give that global group "deny access to this computer
    from the network" to the domain computers they should not access. That user
    right can be configured at the domain or Organizational Unit level. They
    should not be denied access to this computer from the network to domain
    controllers or they may not be able to logon to the domain. --- Steve

    "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    news:BC3C270A-F0C9-4707-874F-38EEE5251426@microsoft.com...
    > All,
    >
    > How can I configure a OU with GPO setting that would disable a user from
    > every right except for authenticating to a web site.
    >
    > We have a sharepoint installation for extranet use. Partners will be
    > created
    > under a OU, and we wish to restrict these users from accessing any
    > resources
    > in the network. These users should not be able to logon to the network,
    > and
    > access any resources that would normally be accessible to domain users. We
    > plan to use GPO to achieve this security requirement.
    >
    > This is an interim solution until we get a partner domain setup with one
    > way
    > trusts to our network.
    > Please help me find template files or so to achieve this.
    > Thanks,
    > Vamsi
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger,
    Thanks for your reply. Local accounts is not recommended, as this interm
    solution could go for months - yr. Also, we have 2 front end servers using
    NLB, so it would be a mess.

    We have to do exctly what you suggested, but HOW exactly to implement it?
    Please provide some steps, as I am new to AD admin.

    Users come from internet, over the firewall to the frontend server inside
    the n/w.
    All we need is http/https access to this machine by these users.
    What GPO settings, templates should we use to only allow this and nothing
    else?
    As of now, I created an OU in my virtual machine AD, and added a new Group
    Policy. I have to now configure that GPO to implement what you suggested, but
    HOW?

    Please provide your valuable input.
    Thanks,
    Vamsi.
    "Roger Abell [MVP]" wrote:

    > This may not work depending on where the web mediated interfaces
    > connect, but have you considered use of machine local accounts for
    > them until you have implemented the extranet forest ?
    > How will they get to the sharepoint machine? If you control well the
    > ports routed to this from the open internet (which I assume is where
    > they will be coming from) then they are pretty much limited to what
    > the web interfaces will do for them via http/https (just do not grant
    > anything more that sharepoint browser role).
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Server System: Security)
    > MCDBA, MCSE W2k3+W2k+Nt4
    > "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    > news:BC3C270A-F0C9-4707-874F-38EEE5251426@microsoft.com...
    > > All,
    > >
    > > How can I configure a OU with GPO setting that would disable a user from
    > > every right except for authenticating to a web site.
    > >
    > > We have a sharepoint installation for extranet use. Partners will be
    > > created
    > > under a OU, and we wish to restrict these users from accessing any
    > > resources
    > > in the network. These users should not be able to logon to the network,
    > > and
    > > access any resources that would normally be accessible to domain users. We
    > > plan to use GPO to achieve this security requirement.
    > >
    > > This is an interim solution until we get a partner domain setup with one
    > > way
    > > trusts to our network.
    > > Please help me find template files or so to achieve this.
    > > Thanks,
    > > Vamsi
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Vamsi,

    Much of the precise specifics for your environment you will
    need to adjust with knowledge of your environment. There are
    some general things that you could take into account however.

    The biggest in my mind is to make absolutely certain that the
    Sharepoint grants are well administered. This is not predefined
    with policies in GP (could be done with GP if someone was very
    familiar with the peculiarities of sharepoint but it would be tedious)
    but is predefined in the Sharepoint admin interface. What you do
    want the Sharepoint admin to be absolutely certain they do not
    goof up is making sure that these accounts are never granted any
    Sharepoint role higher than browser (actually you could likely
    get by with collaborator if this is WSS sharepoint). If they are
    allowed any authoring role they could mount (or try) an elevation
    of scope of access even though limited to only http/https.

    You say you have this behind firewall, so the next thing is to
    make sure this is correctly allowing only tcp 80/443 with the
    outside world. The machines themselves could be further
    configured if desired with IPsec in filter mode so that they
    allow only these from outside addresses (basically, deny all,
    and then grant these with outside IPs, and grant, most simply
    all, to internal servers that are necessary : backup, DCs of the
    domain and forest root, DNS if different, mail servers, etc..)
    This you would implement in the GPO linked to the OU that
    holds these sharepoint servers.

    Next, and this depends on specifics of your infrastructure, you
    may consider placing these accounts in a custom group, and
    removing them from Domain Users, and then use this custom
    group to grant access to the clustered front-end sharepoint
    servers (add where Domain Users exists in user rights and
    Users group). You could make this tighter, but if you have
    the 80/443 limitation of traffic your exposure is fairly small.
    Doing this will need some complete examination/testing as
    it depends on where these accounts actually need to flow
    (sharepoint does not use Windows integrated accounts when
    going off-box to the SQL backend in normal circumstances,
    but if there is much custom webparts and/or business logic
    involved this may come into play). If your overall environment
    allows removal of these from Domain Users, you may have
    reduced exposure of other machines (if the unlikely event of
    any of them getting ability to hop off the sharepoint servers
    into the internal network) dramatically - at least if your
    environment has removed Authenticated Users from the Users
    group as a standard practice on domain member machines.
    If your environment has not taken control over the Authenticated
    Users membership in local Users groups issue, you may not
    actually gain that much by going to this extra effort.

    Other than these, there are only the normal sanity things,
    making sure the sharepoint frontends are service minimized,
    etc. per normal hardening guidance. One thing to call out
    here however for especially attention is to make sure that
    rpc over http is not allowed on the sharepoint frontends.
    Also, you may want to implement monitoring of these frontends,
    and in this something to watch that is easy to overlook is whether
    local profiles ever get created and if the logon type is ever other
    than network logon for these accounts on the sharepoint servers.

    I am sure there are more things that could be brought to bear,
    but right now I am sort of at the end of what comes to mind now.
    Other than IPsec filter if used, user rights and membership in
    Users group, the only things of this that are done via GPO are
    those that are normal hardening for an IIS box (services minimized,
    etc..).

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    news:D2FC04F7-5936-469F-80DD-CCA4EA0562F3@microsoft.com...
    > Roger,
    > Thanks for your reply. Local accounts is not recommended, as this interm
    > solution could go for months - yr. Also, we have 2 front end servers using
    > NLB, so it would be a mess.
    >
    > We have to do exctly what you suggested, but HOW exactly to implement it?
    > Please provide some steps, as I am new to AD admin.
    >
    > Users come from internet, over the firewall to the frontend server inside
    > the n/w.
    > All we need is http/https access to this machine by these users.
    > What GPO settings, templates should we use to only allow this and nothing
    > else?
    > As of now, I created an OU in my virtual machine AD, and added a new Group
    > Policy. I have to now configure that GPO to implement what you suggested,
    but
    > HOW?
    >
    > Please provide your valuable input.
    > Thanks,
    > Vamsi.
    > "Roger Abell [MVP]" wrote:
    >
    > > This may not work depending on where the web mediated interfaces
    > > connect, but have you considered use of machine local accounts for
    > > them until you have implemented the extranet forest ?
    > > How will they get to the sharepoint machine? If you control well the
    > > ports routed to this from the open internet (which I assume is where
    > > they will be coming from) then they are pretty much limited to what
    > > the web interfaces will do for them via http/https (just do not grant
    > > anything more that sharepoint browser role).
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Server System: Security)
    > > MCDBA, MCSE W2k3+W2k+Nt4
    > > "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    > > news:BC3C270A-F0C9-4707-874F-38EEE5251426@microsoft.com...
    > > > All,
    > > >
    > > > How can I configure a OU with GPO setting that would disable a user
    from
    > > > every right except for authenticating to a web site.
    > > >
    > > > We have a sharepoint installation for extranet use. Partners will be
    > > > created
    > > > under a OU, and we wish to restrict these users from accessing any
    > > > resources
    > > > in the network. These users should not be able to logon to the
    network,
    > > > and
    > > > access any resources that would normally be accessible to domain
    users. We
    > > > plan to use GPO to achieve this security requirement.
    > > >
    > > > This is an interim solution until we get a partner domain setup with
    one
    > > > way
    > > > trusts to our network.
    > > > Please help me find template files or so to achieve this.
    > > > Thanks,
    > > > Vamsi
    > > >
    > >
    > >
    > >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Roger,
    Thanks for your elaborate and great reply and for your time.

    We could take care of tightening firewall for traffic to these servers, and
    also with WSS security roles..
    Our main issue, once we create domain accounts for partners, how can we stop
    them from logging into the computers if they are in the campus (i.e.,
    accessible to domain computer). So, we plan to use GPO for an OU that
    contains only these users.

    Your suggestions on adding them to a security group is good, but it is a
    maintenance job. Our domain is huge and we are a small group and wish to have
    a GPO that automatically takes care of the issue without having to create
    additional group and updating all computers in the domain for our requirement
    (might be needed).
    I shall check the policy of our domain for new accounts and their rights, by
    default.


    "Roger Abell" wrote:

    > Hi Vamsi,
    >
    > Much of the precise specifics for your environment you will
    > need to adjust with knowledge of your environment. There are
    > some general things that you could take into account however.
    >
    > The biggest in my mind is to make absolutely certain that the
    > Sharepoint grants are well administered. This is not predefined
    > with policies in GP (could be done with GP if someone was very
    > familiar with the peculiarities of sharepoint but it would be tedious)
    > but is predefined in the Sharepoint admin interface. What you do
    > want the Sharepoint admin to be absolutely certain they do not
    > goof up is making sure that these accounts are never granted any
    > Sharepoint role higher than browser (actually you could likely
    > get by with collaborator if this is WSS sharepoint). If they are
    > allowed any authoring role they could mount (or try) an elevation
    > of scope of access even though limited to only http/https.
    >
    > You say you have this behind firewall, so the next thing is to
    > make sure this is correctly allowing only tcp 80/443 with the
    > outside world. The machines themselves could be further
    > configured if desired with IPsec in filter mode so that they
    > allow only these from outside addresses (basically, deny all,
    > and then grant these with outside IPs, and grant, most simply
    > all, to internal servers that are necessary : backup, DCs of the
    > domain and forest root, DNS if different, mail servers, etc..)
    > This you would implement in the GPO linked to the OU that
    > holds these sharepoint servers.
    >
    > Next, and this depends on specifics of your infrastructure, you
    > may consider placing these accounts in a custom group, and
    > removing them from Domain Users, and then use this custom
    > group to grant access to the clustered front-end sharepoint
    > servers (add where Domain Users exists in user rights and
    > Users group). You could make this tighter, but if you have
    > the 80/443 limitation of traffic your exposure is fairly small.
    > Doing this will need some complete examination/testing as
    > it depends on where these accounts actually need to flow
    > (sharepoint does not use Windows integrated accounts when
    > going off-box to the SQL backend in normal circumstances,
    > but if there is much custom webparts and/or business logic
    > involved this may come into play). If your overall environment
    > allows removal of these from Domain Users, you may have
    > reduced exposure of other machines (if the unlikely event of
    > any of them getting ability to hop off the sharepoint servers
    > into the internal network) dramatically - at least if your
    > environment has removed Authenticated Users from the Users
    > group as a standard practice on domain member machines.
    > If your environment has not taken control over the Authenticated
    > Users membership in local Users groups issue, you may not
    > actually gain that much by going to this extra effort.
    >
    > Other than these, there are only the normal sanity things,
    > making sure the sharepoint frontends are service minimized,
    > etc. per normal hardening guidance. One thing to call out
    > here however for especially attention is to make sure that
    > rpc over http is not allowed on the sharepoint frontends.
    > Also, you may want to implement monitoring of these frontends,
    > and in this something to watch that is easy to overlook is whether
    > local profiles ever get created and if the logon type is ever other
    > than network logon for these accounts on the sharepoint servers.
    >
    > I am sure there are more things that could be brought to bear,
    > but right now I am sort of at the end of what comes to mind now.
    > Other than IPsec filter if used, user rights and membership in
    > Users group, the only things of this that are done via GPO are
    > those that are normal hardening for an IIS box (services minimized,
    > etc..).
    >
    > --
    > Roger Abell
    > Microsoft MVP (Windows Security)
    > MCSE (W2k3,W2k,Nt4) MCDBA
    > "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    > news:D2FC04F7-5936-469F-80DD-CCA4EA0562F3@microsoft.com...
    > > Roger,
    > > Thanks for your reply. Local accounts is not recommended, as this interm
    > > solution could go for months - yr. Also, we have 2 front end servers using
    > > NLB, so it would be a mess.
    > >
    > > We have to do exctly what you suggested, but HOW exactly to implement it?
    > > Please provide some steps, as I am new to AD admin.
    > >
    > > Users come from internet, over the firewall to the frontend server inside
    > > the n/w.
    > > All we need is http/https access to this machine by these users.
    > > What GPO settings, templates should we use to only allow this and nothing
    > > else?
    > > As of now, I created an OU in my virtual machine AD, and added a new Group
    > > Policy. I have to now configure that GPO to implement what you suggested,
    > but
    > > HOW?
    > >
    > > Please provide your valuable input.
    > > Thanks,
    > > Vamsi.
    > > "Roger Abell [MVP]" wrote:
    > >
    > > > This may not work depending on where the web mediated interfaces
    > > > connect, but have you considered use of machine local accounts for
    > > > them until you have implemented the extranet forest ?
    > > > How will they get to the sharepoint machine? If you control well the
    > > > ports routed to this from the open internet (which I assume is where
    > > > they will be coming from) then they are pretty much limited to what
    > > > the web interfaces will do for them via http/https (just do not grant
    > > > anything more that sharepoint browser role).
    > > >
    > > > --
    > > > Roger Abell
    > > > Microsoft MVP (Windows Server System: Security)
    > > > MCDBA, MCSE W2k3+W2k+Nt4
    > > > "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    > > > news:BC3C270A-F0C9-4707-874F-38EEE5251426@microsoft.com...
    > > > > All,
    > > > >
    > > > > How can I configure a OU with GPO setting that would disable a user
    > from
    > > > > every right except for authenticating to a web site.
    > > > >
    > > > > We have a sharepoint installation for extranet use. Partners will be
    > > > > created
    > > > > under a OU, and we wish to restrict these users from accessing any
    > > > > resources
    > > > > in the network. These users should not be able to logon to the
    > network,
    > > > > and
    > > > > access any resources that would normally be accessible to domain
    > users. We
    > > > > plan to use GPO to achieve this security requirement.
    > > > >
    > > > > This is an interim solution until we get a partner domain setup with
    > one
    > > > > way
    > > > > trusts to our network.
    > > > > Please help me find template files or so to achieve this.
    > > > > Thanks,
    > > > > Vamsi
    > > > >
    > > >
    > > >
    > > >
    >
    >
    >
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Give them a login script which checks machine of login and
    ends their login if it is wrong, a mandatory profile may also
    help you out. However, if they have a login session at a machine,
    and your environment leaves Authenticated Users in its default,
    then they will have broad network access if allowed to log into
    any member when onsite. You might also want to look at the two
    Deny policies (local login and network login) for use on a broad
    scale over your infrastructure - but this is not as simple as it sounds
    it should be as you do need to allow to those spots that are needed
    by them and if you are using that settings already you may need to
    adjust multiple GPOs in order to get coverage.

    --
    Roger Abell
    Microsoft MVP (Windows Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    news:467B36FB-EDF7-4067-9366-F3A3E69CFF7E@microsoft.com...
    > Roger,
    > Thanks for your elaborate and great reply and for your time.
    >
    > We could take care of tightening firewall for traffic to these servers,
    and
    > also with WSS security roles..
    > Our main issue, once we create domain accounts for partners, how can we
    stop
    > them from logging into the computers if they are in the campus (i.e.,
    > accessible to domain computer). So, we plan to use GPO for an OU that
    > contains only these users.
    >
    > Your suggestions on adding them to a security group is good, but it is a
    > maintenance job. Our domain is huge and we are a small group and wish to
    have
    > a GPO that automatically takes care of the issue without having to create
    > additional group and updating all computers in the domain for our
    requirement
    > (might be needed).
    > I shall check the policy of our domain for new accounts and their rights,
    by
    > default.
    >
    >
    > "Roger Abell" wrote:
    >
    > > Hi Vamsi,
    > >
    > > Much of the precise specifics for your environment you will
    > > need to adjust with knowledge of your environment. There are
    > > some general things that you could take into account however.
    > >
    > > The biggest in my mind is to make absolutely certain that the
    > > Sharepoint grants are well administered. This is not predefined
    > > with policies in GP (could be done with GP if someone was very
    > > familiar with the peculiarities of sharepoint but it would be tedious)
    > > but is predefined in the Sharepoint admin interface. What you do
    > > want the Sharepoint admin to be absolutely certain they do not
    > > goof up is making sure that these accounts are never granted any
    > > Sharepoint role higher than browser (actually you could likely
    > > get by with collaborator if this is WSS sharepoint). If they are
    > > allowed any authoring role they could mount (or try) an elevation
    > > of scope of access even though limited to only http/https.
    > >
    > > You say you have this behind firewall, so the next thing is to
    > > make sure this is correctly allowing only tcp 80/443 with the
    > > outside world. The machines themselves could be further
    > > configured if desired with IPsec in filter mode so that they
    > > allow only these from outside addresses (basically, deny all,
    > > and then grant these with outside IPs, and grant, most simply
    > > all, to internal servers that are necessary : backup, DCs of the
    > > domain and forest root, DNS if different, mail servers, etc..)
    > > This you would implement in the GPO linked to the OU that
    > > holds these sharepoint servers.
    > >
    > > Next, and this depends on specifics of your infrastructure, you
    > > may consider placing these accounts in a custom group, and
    > > removing them from Domain Users, and then use this custom
    > > group to grant access to the clustered front-end sharepoint
    > > servers (add where Domain Users exists in user rights and
    > > Users group). You could make this tighter, but if you have
    > > the 80/443 limitation of traffic your exposure is fairly small.
    > > Doing this will need some complete examination/testing as
    > > it depends on where these accounts actually need to flow
    > > (sharepoint does not use Windows integrated accounts when
    > > going off-box to the SQL backend in normal circumstances,
    > > but if there is much custom webparts and/or business logic
    > > involved this may come into play). If your overall environment
    > > allows removal of these from Domain Users, you may have
    > > reduced exposure of other machines (if the unlikely event of
    > > any of them getting ability to hop off the sharepoint servers
    > > into the internal network) dramatically - at least if your
    > > environment has removed Authenticated Users from the Users
    > > group as a standard practice on domain member machines.
    > > If your environment has not taken control over the Authenticated
    > > Users membership in local Users groups issue, you may not
    > > actually gain that much by going to this extra effort.
    > >
    > > Other than these, there are only the normal sanity things,
    > > making sure the sharepoint frontends are service minimized,
    > > etc. per normal hardening guidance. One thing to call out
    > > here however for especially attention is to make sure that
    > > rpc over http is not allowed on the sharepoint frontends.
    > > Also, you may want to implement monitoring of these frontends,
    > > and in this something to watch that is easy to overlook is whether
    > > local profiles ever get created and if the logon type is ever other
    > > than network logon for these accounts on the sharepoint servers.
    > >
    > > I am sure there are more things that could be brought to bear,
    > > but right now I am sort of at the end of what comes to mind now.
    > > Other than IPsec filter if used, user rights and membership in
    > > Users group, the only things of this that are done via GPO are
    > > those that are normal hardening for an IIS box (services minimized,
    > > etc..).
    > >
    > > --
    > > Roger Abell
    > > Microsoft MVP (Windows Security)
    > > MCSE (W2k3,W2k,Nt4) MCDBA
    > > "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    > > news:D2FC04F7-5936-469F-80DD-CCA4EA0562F3@microsoft.com...
    > > > Roger,
    > > > Thanks for your reply. Local accounts is not recommended, as this
    interm
    > > > solution could go for months - yr. Also, we have 2 front end servers
    using
    > > > NLB, so it would be a mess.
    > > >
    > > > We have to do exctly what you suggested, but HOW exactly to implement
    it?
    > > > Please provide some steps, as I am new to AD admin.
    > > >
    > > > Users come from internet, over the firewall to the frontend server
    inside
    > > > the n/w.
    > > > All we need is http/https access to this machine by these users.
    > > > What GPO settings, templates should we use to only allow this and
    nothing
    > > > else?
    > > > As of now, I created an OU in my virtual machine AD, and added a new
    Group
    > > > Policy. I have to now configure that GPO to implement what you
    suggested,
    > > but
    > > > HOW?
    > > >
    > > > Please provide your valuable input.
    > > > Thanks,
    > > > Vamsi.
    > > > "Roger Abell [MVP]" wrote:
    > > >
    > > > > This may not work depending on where the web mediated interfaces
    > > > > connect, but have you considered use of machine local accounts for
    > > > > them until you have implemented the extranet forest ?
    > > > > How will they get to the sharepoint machine? If you control well
    the
    > > > > ports routed to this from the open internet (which I assume is where
    > > > > they will be coming from) then they are pretty much limited to what
    > > > > the web interfaces will do for them via http/https (just do not
    grant
    > > > > anything more that sharepoint browser role).
    > > > >
    > > > > --
    > > > > Roger Abell
    > > > > Microsoft MVP (Windows Server System: Security)
    > > > > MCDBA, MCSE W2k3+W2k+Nt4
    > > > > "vamsi" <vamsi@discussions.microsoft.com> wrote in message
    > > > > news:BC3C270A-F0C9-4707-874F-38EEE5251426@microsoft.com...
    > > > > > All,
    > > > > >
    > > > > > How can I configure a OU with GPO setting that would disable a
    user
    > > from
    > > > > > every right except for authenticating to a web site.
    > > > > >
    > > > > > We have a sharepoint installation for extranet use. Partners will
    be
    > > > > > created
    > > > > > under a OU, and we wish to restrict these users from accessing any
    > > > > > resources
    > > > > > in the network. These users should not be able to logon to the
    > > network,
    > > > > > and
    > > > > > access any resources that would normally be accessible to domain
    > > users. We
    > > > > > plan to use GPO to achieve this security requirement.
    > > > > >
    > > > > > This is an interim solution until we get a partner domain setup
    with
    > > one
    > > > > > way
    > > > > > trusts to our network.
    > > > > > Please help me find template files or so to achieve this.
    > > > > > Thanks,
    > > > > > Vamsi
    > > > > >
    > > > >
    > > > >
    > > > >
    > >
    > >
    > >
Ask a new question

Read More

Authentication Configuration Security Windows