Smart questions
Smart answers
Smart people
Join Tek-Tips Forums

Member Login

Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

ditchmagnet (TechnicalUser) (OP)
18 May 09 14:47
I have users accessing terminal server remotely, and would like to be able to restrict what they can access during their session.  Every user appears to have full control of the system during their session.
I have tried creating a Restricted Users group, then adding a member, then going to C: properties, then to security tab, and un-checking everything.  Then I went to just the folders I want them to access and set permissions on them.  Once I logged on as the user in the Restricted Users group, they still had access to everything.

What can I do?
TechyMcSe2k (TechnicalUser)
18 May 09 19:22
You need to utilize Group Policies

Great knowledge can be obtained by mastering the Google algorithm.

TechyMcSe2k (TechnicalUser)
18 May 09 19:24
How to apply Group Policy objects to Terminal Services servers

Great knowledge can be obtained by mastering the Google algorithm.

ditchmagnet (TechnicalUser) (OP)
19 May 09 11:13
I figured it out.  I basically did everything I already did, but chose deny for list directory contents on C:, then on folders I want the group to access, I unchecked inherit permissions, and set the to modify.

Now one more question, since I cannot create additional containers in AD, is it OK to use a OU?  I want to move my groups out of the users container into their own container.

TechyMcSe2k (TechnicalUser)
19 May 09 12:04
Groups should have their own will be fine.  I break mine in to seperate OU's (security and DL) Get granular with your AD really helps in GPO's and finding stuff :)

Great knowledge can be obtained by mastering the Google algorithm.

Seaspray0 (TechnicalUser)
22 May 09 17:25
We have seperate OU's for security groups and distribution groups.  The security groups has two sub OU's, one for resource groups, one for user roles.  On the file systems, we apply ntfs permissions to the resource groups (domain local groups).  In AD, we add roll groups (domain groups) as members of the resource groups.  When someone gets hired, all we have to do is grant them a role membership.  Our resource group names reflect the locations where permissions are applied i.e. rsc_server_share_folder_sub-[f,r,w,m] (full,read,write,modify).  The role names reflect the user roles i.e. rol_accounts_receivable.

Start, Help.  You'll be surprised what's there.  A+/MCP/MCSE/MCDBA

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close