2003 AD Domian - User Rights and Group Policy's

B

BenIT

Limp Gawd
Joined
Sep 9, 2003
Messages
207
This is a medical office, and in the waiting room we have placed 2 computers for paitients to be able to browse the internet and check their email.

So in the Users i have all the regular emploeeys under Domain Users and i created one account called "front" and made it a member of the Domain Guests.

Now under this group I see that they didnt get any ristrictions and can view any sheard files and do alot of things i dont want them to do.

I am aware of the ability to assign a group policy to a specific group but i couldent find where and how to create a policy set and then assign it. So i want a policy denying any netowrk access any setting changes.

And is there a way of doing for another particular group set that they cannot access the internet and only do work? (no isa server i cant implement one on our current budget)

And while i am on the topic how can i run explorer in Koisk mode?
 
Why are these computers even part of the domain? Just kick them off and they will have no access to the domain. All you should need is a gateway setup with IP and DNS(which DHCP will take care of if you are running that.

The cheap way I've found to keep people off the net I don't want accessing them is the reverse of the previous statement. Assign them a static IP, setup the DNS and WINS, and leave the gateway blank. Then they can do all their work and not get any access to the Internet. It's a qucik and easy one time thing on each machine. You can also lock them out at the firewall(if you have one) with mac filtering, but I find a static IP easier.
 
BenIT said:
This is a medical office, and in the waiting room we have placed 2 computers for paitients to be able to browse the internet and check their email.

So in the Users i have all the regular emploeeys under Domain Users and i created one account called "front" and made it a member of the Domain Guests.

Now under this group I see that they didnt get any ristrictions and can view any sheard files and do alot of things i dont want them to do.

I am aware of the ability to assign a group policy to a specific group but i couldent find where and how to create a policy set and then assign it. So i want a policy denying any netowrk access any setting changes.

And is there a way of doing for another particular group set that they cannot access the internet and only do work? (no isa server i cant implement one on our current budget)

And while i am on the topic how can i run explorer in Koisk mode?
Click to expand...
You should be easy to please since it seems you have a solid grasp of how it works, ya just need some tweaking.

Install the Group Policy Management Console on your server or an XP machine.
Create a policy and apply your permissions based on groups with that. What you need to do is take the user front and drop that into it's own user group and apply a policy specifically for said group. If you don't want it to have access to anything over the network, then remove all shortcuts, desktop icons, and access to the Run box in your policy. Don't forget the policy setting to disable access to the registry editing tools either, since they'll be using IE.

For blocking the internet, either remove the gateway in their IP settings or nab a free proxy server. http://www.snapfiles.com/get/freeproxy.html
After doing this, you can create a policy to set a group's proxy address and another one to deny it...now this you would have to remove the gateway from all of the machines, but if you have a private network and aren't routing anything other than internet access in the first place...

Kiosk mode: http://www.kiosks.org/kioskmode.htm

Anything else?
 
feigned said:
Install the Group Policy Management Console on your server or an XP machine.
Create a policy and apply your permissions based on groups with that. What you need to do is take the user front and drop that into it's own user group and apply a policy specifically for said group. If you don't want it to have access to anything over the network, then remove all shortcuts, desktop icons, and access to the Run box in your policy. Don't forget the policy setting to disable access to the registry editing tools either, since they'll be using IE.

For blocking the internet, either remove the gateway in their IP settings or nab a free proxy server. http://www.snapfiles.com/get/freeproxy.html
After doing this, you can create a policy to set a group's proxy address and another one to deny it...now this you would have to remove the gateway from all of the machines, but if you have a private network and aren't routing anything other than internet access in the first place...
Click to expand...

I dont know how to individualize a GP Policy (create more then one) i only know how to modify one on a local XP computer, but what i need is 2 individual files for these 2 user groups, one that should allowd internet and no other network activity (run, networkplaces, etc) and one that will not allow internet ONLY (still be able to do everything else).

And once these separet files created wher and how do i drop them into effect on the specifc groups?

And hers the thing, to just go and remove the default gateway, that wont be enough, most users have a bit more then the regular grasp. I want it all to be done on the server side so that the only way to alter it is to go to ther server and change it.
 
BenIT said:
I dont know how to individualize a GP Policy (create more then one) i only know how to modify one on a local XP computer, but what i need is 2 individual files for these 2 user groups, one that should allowd internet and no other network activity (run, networkplaces, etc) and one that will not allow internet ONLY (still be able to do everything else).

And once these separet files created wher and how do i drop them into effect on the specifc groups?

And hers the thing, to just go and remove the default gateway, that wont be enough, most users have a bit more then the regular grasp. I want it all to be done on the server side so that the only way to alter it is to go to ther server and change it.
Click to expand...

Removing the gateway works because unless they are admins on the machine, they can't change the settings. Users and Power Users should not have access to change tcp/ip settings, only view them.
 
But judging by the way this thread is reading I wouldn't have much confidence these users are not local admins. Unlike one of the reply posts it's clear you don't really grasp how this works. Your not editing a group policy if your doing it on an XP machine. That is a local policy. Since it would appear your in charge of this office's network I would suggest learning some things first and not learning them on the job. Lotsa books out there. Lotsa web links. Google can help you answer all your questions with pages that go into detail. Your going to get snippets typically from a BBS post. Your doing the doctors office a disservice in my opinion. At least if you are charging them for your services. Services which apparantly include windows network administration.
 
ktwebb said:
But judging by the way this thread is reading I wouldn't have much confidence these users are not local admins. Unlike one of the reply posts it's clear you don't really grasp how this works. Your not editing a group policy if your doing it on an XP machine. That is a local policy. Since it would appear your in charge of this office's network I would suggest learning some things first and not learning them on the job. Lotsa books out there. Lotsa web links. Google can help you answer all your questions with pages that go into detail. Your going to get snippets typically from a BBS post. Your doing the doctors office a disservice in my opinion. At least if you are charging them for your services. Services which apparantly include windows network administration.
Click to expand...
You are rushing to alligate here.

First off like i said in my first post "i work for this office" i dont do freelance IT work, yet.

I just got my MCP in exam 70-270 and now i am learning the 2003 network infrastucture exam 70-291 to get my MCSA then move on to MCSE.

i went trough the 2 books ive been useing for 2003 and couldent find where to modify the things mentiond herein.

and all i said abuot a GP on a local computer was an example of how i know to edit one, i did add a domian wide policy (even figured how to put in 2 of them). All i want to know is how i can create a GP for one individual user group. Thats all.

And you are very out of line saying that aobut me with out even knowing what i am doing.
 
I don't have it on me right now, but you may wanna check out O'Reiley's Active Directory Cookbook for Windows Server 2003 -- it's a nice resource for doing various tasks. Shows ya how to do them using GUI, Command line, and VBScript.
 
Blitzrommel said:
I don't have it on me right now, but you may wanna check out O'Reiley's Active Directory Cookbook for Windows Server 2003 -- it's a nice resource for doing various tasks. Shows ya how to do them using GUI, Command line, and VBScript.
Click to expand...
Thank you, just orderd the book.
 
BenIT said:
You are rushing to alligate here.

First off like i said in my first post "i work for this office" i dont do freelance IT work, yet.

I just got my MCP in exam 70-270 and now i am learning the 2003 network infrastucture exam 70-291 to get my MCSA then move on to MCSE.

i went trough the 2 books ive been useing for 2003 and couldent find where to modify the things mentiond herein.

and all i said abuot a GP on a local computer was an example of how i know to edit one, i did add a domian wide policy (even figured how to put in 2 of them). All i want to know is how i can create a GP for one individual user group. Thats all.

And you are very out of line saying that aobut me with out even knowing what i am doing.
Click to expand...
Calm down, nobody is trying to attack your lack of knowledge. Honestly, it's cool that you're headed in the right direction but I can tell you nobody likes a hothead.

To apply a GPO to a group you have to do it by security permission filtering. You need read and apply permissions for a group. If you do it by OU it's a bit trickier.
 
feigned said:
To apply a GPO to a group you have to do it by security permission filtering. You need read and apply permissions for a group. If you do it by OU it's a bit trickier.
Click to expand...
Security Permission Filtering? OU? please explain, thanks
 
BenIT said:
Security Permission Filtering? OU? please explain, thanks
Click to expand...
Without the Group Policy Management Console, when you right-click the domain or wherever you have your GPO linked in ADUC and hit up the properties, you can drill down into the properties of the GPO and check out the NTFS security. This is where you apply the GPO to a group.

With the GPMC it's much simpler to do this. You open GPMC, click on the GPO in the left hand pane, then in the right hand pane under the Scope tab, there's a section at the bottom to add groups called Security Filtering.
 
I agree with the steps describing Group Policy filtering, but unless I missed something, I don't see the case for it.

My advice is to avoid Group Policy filtering if you can. Instead, it is a better practice to take specialized resources (and the users and computers that are external facing certainly fit the description) and put them in their own OU's, and then apply specific policies to those OU's. For example, we create an OU at the base of the domain called "Special Accounts", and then underneath that OU we have the following OU's:

Admin Accounts
Service Accounts
Vendor Accounts
Disabled Accounts
etc....


I'd consider creating an OU called "Waiting Room" and place the computers and users related in that OU. Of course, place the OU and name it in accordance with your existing structure so it keeps the same look/feel/spirit of your existing OU design.

GPO filtering is to be used sparingly, but whenever you do you have a more complex environment and you then need to be able to more effectively determine RSOP (Resultant Set of Policy) information to determine what policies are in effect. Not filtering keeps it simple.
 
rcolbert knows what he's talking about and I'd have to agree with him. I do most of my filtering by OU's. I still have a few cases where I have to drill it down by security filtering. But, if you're in a medical office, I'd say read up before you do anything and setup a test lab. You don't want to get your employer caught up in court (which sounds way off, but could happen especially with having workstations open to the public on your network). Don't play around with anything in the production environment unless you know what you're doing; which it doesn't sound like you know right now, no offense.
 
LittleMe said:
rcolbert knows what he's talking about and I'd have to agree with him. I do most of my filtering by OU's. I still have a few cases where I have to drill it down by security filtering. But, if you're in a medical office, I'd say read up before you do anything and setup a test lab. You don't want to get your employer caught up in court (which sounds way off, but could happen especially with having workstations open to the public on your network). Don't play around with anything in the production environment unless you know what you're doing; which it doesn't sound like you know right now, no offense.
Click to expand...
None taked, and thats why i am asking, to educate myself.
 
rcolbert said:
I agree with the steps describing Group Policy filtering, but unless I missed something, I don't see the case for it.

My advice is to avoid Group Policy filtering if you can. Instead, it is a better practice to take specialized resources (and the users and computers that are external facing certainly fit the description) and put them in their own OU's, and then apply specific policies to those OU's. For example, we create an OU at the base of the domain called "Special Accounts", and then underneath that OU we have the following OU's:

Admin Accounts
Service Accounts
Vendor Accounts
Disabled Accounts
etc....


I'd consider creating an OU called "Waiting Room" and place the computers and users related in that OU. Of course, place the OU and name it in accordance with your existing structure so it keeps the same look/feel/spirit of your existing OU design.

GPO filtering is to be used sparingly, but whenever you do you have a more complex environment and you then need to be able to more effectively determine RSOP (Resultant Set of Policy) information to determine what policies are in effect. Not filtering keeps it simple.
Click to expand...
My bad. I was going to mention OU's but I didn't want to confuse the OP any further. However, this is the route one should be taking.
 
You must log in or register to reply here.
Back
Top