|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Least amount of privilegesI apologize if this is a novice question as I'm not too familiar with active directory and hope this is the appropriate place to post this. We have a Windows 2000 Server that runs a 3rd party application that connects to our SQL Server 2000 that is running on this same server. Our users are getting to this 3rd party program through Terminal Services that is set up on this same Windows 2000 Server. Our users are currently members of ordinary Active Directory Domain Users. I notice recently that this 3rd party program allows users that use this program to create files and asks for folder locations, etc... which I'm a little weary about. In this case I'd like to limit these ordinary Active Directory Domain Users who are part of the Remote Desktop Users group that allows them to run the Terminal Services to only be able to run this 3rd party program that connects to the SQL Server 2000 database that is on this server and give them write/read access to only the 'C:\Program Files\3rd party application folder location\'. I was about to right click our server's C drive and remove the Active Directory ordinary Domain User group from the security tab but was second guessing in wondering if they would need some type of write, execute or some other privileges to the Windows and SQL Server system folders, files and subfolders and not have anything crash on them while they're connected through Terminal Services. I just want to give them the lease amount of privleges on this server and only 1 folder that they can do their 3rd party writing/viewing permission to. Sorry if this sounds confusing or is too much detail but am hoping this is possible. Thanks in advance. John It depends on what the domain users group has for permissions. Normally the
domain users don't have permissions at the root of a partition, the local "Users" group is given read rights and within the . Is What permissions does the domain users have and is there a local users group that is provided ACL's at the root? Does this third party program have a service account that runs the app for the users in an elevated session? This can often be the case. One of the ways you can determine this is to download filemon from www.sysinternals.com and have it running while you are doing some of the functions that these users perform with this app. Filemon will list out ALL activity for all users so you will have to learn to start and stop it during the activity only and also filter the details as much as you can. This info should show you what user was creating , deleting, etc... From there you can determine if it is the ordinary user or a service account. Also you should consider moving this app off of your sql server and put it on a seperate server. Install this on a pertition other than the system partition and you chould be able to have a much higher level of authority and control. -- Show quoteHide quotePaul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA This posting is provided "AS IS" with no warranties, and confers no rights. "John" <IDontLikeSpam@Nowhere.com> wrote in message news:%23WO4$MbLGHA.3936@TK2MSFTNGP10.phx.gbl... > Hello, > > I apologize if this is a novice question as I'm not too familiar with > active directory and hope this is the appropriate place to post this. > > We have a Windows 2000 Server that runs a 3rd party application that > connects to our SQL Server 2000 that is running on this same server. Our > users are getting to this 3rd party program through Terminal Services that > is set up on this same Windows 2000 Server. Our users are currently > members of ordinary Active Directory Domain Users. I notice recently that > this 3rd party program allows users that use this program to create files > and asks for folder locations, etc... which I'm a little weary about. In > this case I'd like to limit these ordinary Active Directory Domain Users > who are part of the Remote Desktop Users group that allows them to run the > Terminal Services to only be able to run this 3rd party program that > connects to the SQL Server 2000 database that is on this server and give > them write/read access to only the 'C:\Program Files\3rd party application > folder location\'. I was about to right click our server's C drive and > remove the Active Directory ordinary Domain User group from the security > tab but was second guessing in wondering if they would need some type of > write, execute or some other privileges to the Windows and SQL Server > system folders, files and subfolders and not have anything crash on them > while they're connected through Terminal Services. I just want to give > them the lease amount of privleges on this server and only 1 folder that > they can do their 3rd party writing/viewing permission to. Sorry if this > sounds confusing or is too much detail but am hoping this is possible. > > Thanks in advance. > > John > Thanks a bunch Paul. Will give it a go. Much appreciated.
John :-) Show quoteHide quote "Paul Bergson" <pbergson@allete_nospam.com> wrote in message news:ekMBBukLGHA.1288@TK2MSFTNGP09.phx.gbl... > It depends on what the domain users group has for permissions. Normally > the domain users don't have permissions at the root of a partition, the > local "Users" group is given read rights and within the . Is What > permissions does the domain users have and is there a local users group > that is provided ACL's at the root? > > Does this third party program have a service account that runs the app for > the users in an elevated session? This can often be the case. One of the > ways you can determine this is to download filemon from > www.sysinternals.com and have it running while you are doing some of the > functions that these users perform with this app. Filemon will list out > ALL activity for all users so you will have to learn to start and stop it > during the activity only and also filter the details as much as you can. > This info should show you what user was creating , deleting, etc... From > there you can determine if it is the ordinary user or a service account. > Also you should consider moving this app off of your sql server and put it > on a seperate server. Install this on a pertition other than the system > partition and you chould be able to have a much higher level of authority > and control. > > > -- > > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > "John" <IDontLikeSpam@Nowhere.com> wrote in message > news:%23WO4$MbLGHA.3936@TK2MSFTNGP10.phx.gbl... >> Hello, >> >> I apologize if this is a novice question as I'm not too familiar with >> active directory and hope this is the appropriate place to post this. >> >> We have a Windows 2000 Server that runs a 3rd party application that >> connects to our SQL Server 2000 that is running on this same server. Our >> users are getting to this 3rd party program through Terminal Services >> that is set up on this same Windows 2000 Server. Our users are currently >> members of ordinary Active Directory Domain Users. I notice recently >> that this 3rd party program allows users that use this program to create >> files and asks for folder locations, etc... which I'm a little weary >> about. In this case I'd like to limit these ordinary Active Directory >> Domain Users who are part of the Remote Desktop Users group that allows >> them to run the Terminal Services to only be able to run this 3rd party >> program that connects to the SQL Server 2000 database that is on this >> server and give them write/read access to only the 'C:\Program Files\3rd >> party application folder location\'. I was about to right click our >> server's C drive and remove the Active Directory ordinary Domain User >> group from the security tab but was second guessing in wondering if they >> would need some type of write, execute or some other privileges to the >> Windows and SQL Server system folders, files and subfolders and not have >> anything crash on them while they're connected through Terminal Services. >> I just want to give them the lease amount of privleges on this server and >> only 1 folder that they can do their 3rd party writing/viewing permission >> to. Sorry if this sounds confusing or is too much detail but am hoping >> this is possible. >> >> Thanks in advance. >> >> John >> > > 
Other interesting topics
setting account expire date problem
Failed to open the group policy object Unable to assign TerminalServicesHomeDrive Letter using script. Loading GPMC AD Restore One user is having problems How to setup an account as non Domain admin to join comps to domai .Net Framework 2.0 Deployment through AD Problem File share access and Failure of domain controller replication Removing roaming profiles using AD |
|||||||||||||||||||||||
