| Author |
Message |
Norman
Guest
|
 Posted:
Mon Oct 24, 2005 12:50 am Post subject:
Read-Only Access to the entire server - everything , not jus |
|
|
Hi,
My senior instructed me to give Read-only access to a small group of people
on one server. However, this access would include "everything" on that
server , ie, not just the read-only permission on file and folders , but
even the OS and system level applications and properties : eventlog,
registry , IIS ,system properties, network properties , control panel
.......EXCEPT they cannot change it.The server is a domain server running
W2k3 SP1.
Is there anyway to achieve this requirement ? I don't think any built-in
groups can do that . Could this be done via GPO ?
Please help !
Norman |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Mon Oct 24, 2005 6:26 am Post subject:
Re: Read-Only Access to the entire server - everything , not |
|
|
That would not be entirely possible. You can restrict users by using access
control lists for ntfs and registry, group membership, and by user rights.
There are some files such as userinit.exe that would not allow the user to
logon to the computer if they had only read access to the file. Regular
users can configure some control panel items if they can open that control
panel applet.
The best you can do is to make sure the users are no more than regular users
who simply will not have access to all he wants. Restrict access to registry
and folder/files to be read access only for files they do not need to logon
to the computer, access the desktop, and otherwise do their job. You could
add their user group to access control lists with deny permissions for
everything but read which you may have to do with advanced permissions of
ntfs. Limit their user rights which are already quite limited as a regular
user, and use Group Policy to restrict their access to what they do not need
with settings under user configuration/administrative templates.
The other alternative is add their group to the local administrators group
and then try restricting them in the same way though I would consider that a
dangerous option as you ultimately can not restrict a user that is in the
local administrators group that is skilled and determined. --- Steve
"Norman" <NormanN@hotmail.com> wrote in message
news:eGSHeID2FHA.2964@TK2MSFTNGP09.phx.gbl...
| Quote: | Hi,
My senior instructed me to give Read-only access to a small group of
people on one server. However, this access would include "everything" on
that server , ie, not just the read-only permission on file and folders ,
but even the OS and system level applications and properties : eventlog,
registry , IIS ,system properties, network properties , control panel
......EXCEPT they cannot change it.The server is a domain server running
W2k3 SP1.
Is there anyway to achieve this requirement ? I don't think any built-in
groups can do that . Could this be done via GPO ?
Please help !
Norman
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Mon Oct 24, 2005 4:51 pm Post subject:
Re: Read-Only Access to the entire server - everything , not |
|
|
Cannot be accomplished.
Ask your senior to specific to what they should have access and
in what way (remote tools/shares, local login, remote desktop, etc.)
If your senior "grumps" about the looseness/limitations of Windows
that it cannot do this, then ask them to do it with any Unix, where
also it cannot be done as stated by yourself.
"Norman" <NormanN@hotmail.com> wrote in message
news:eGSHeID2FHA.2964@TK2MSFTNGP09.phx.gbl...
| Quote: | Hi,
My senior instructed me to give Read-only access to a small group of
people on one server. However, this access would include "everything" on
that server , ie, not just the read-only permission on file and folders ,
but even the OS and system level applications and properties : eventlog,
registry , IIS ,system properties, network properties , control panel
......EXCEPT they cannot change it.The server is a domain server running
W2k3 SP1.
Is there anyway to achieve this requirement ? I don't think any built-in
groups can do that . Could this be done via GPO ?
Please help !
Norman
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in