General discussion

Locked

Shared Logon Security

By keebmachine ·
I have a user account that is shared by 5 users and I need for this account to be restricted from accessing shared files and folders on 9 of the 10 servers on the domain.
How can I do this without changing the security permissions to explicitly deny this user account access to these objects?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by keebmachine In reply to Shared Logon Security

Point value changed by question poster.

Collapse -

by kmcniff In reply to Shared Logon Security

I would create a global security group and add the user(s) to this group. You can then do two things:

1. (most dangerous) Create a Global Security Group. Place the user(s) into this group.You can then DENY access to these folders on the servers (NTFS permissions, not share permissions).

2. Create a Local Group for access. Place the proper Global Groups into this Local Group. (do not use the Everyone or Authenticated Users as these are EVERYONE) Modify the permissions (NTFS) to allow the Local Group to have the permissions you want and DONT add the Global Group that you want to restrict. Then remove the Everyone group from this local group. Remember to add the Domain Administrators to this access group. DO NOT REMOVE the Everyone group until you have added the proper groups.
Pay attention to the inherit permissions and reset permissions on child objects (under advanced).

Remember UGLY:
U - Users into Global Groups
G - Global Groups into Local Groups
L - Local Groups apply permissions
Y - Yes apply permissions to Local Groups

Also remember that the DENY has precidence to all other permissions. Be careful using DENY. Mostly I prefer to just create groups (global and local) and just not add the groups that I don't want to give access.

Collapse -

by keebmachine In reply to Shared Logon Security

This is the important part of the question: How can I do this without changing the security permissions to explicitly deny this user account access to these objects?

It would take forever to change the permissions on all of the shared objects on the domain.

Collapse -

by keebmachine In reply to Shared Logon Security

Point value changed by question poster.

Collapse -

by keebmachine In reply to Shared Logon Security

This question was closed by the author

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums