Hi guys this is my first post and its a troublesome one. Ihave been at this for 3 days please can someone help.
OK here is what I want to accomplish:
I have 6 Servers all running Win '03 server standard
Server 1 : Configured as a Domain Controller w/ Active Directory
Server 2 : Configured as a Domain Controller w/ Active Directory + file server
Server 3 : Non DC w/o AD, Runs ISA Server
Server 4 : Non DC w/o AD, Runs Sharepoint
Server 5 : Non DC w/o AD, DC Runs several Databases (SQL Server and MaxDB are the main ones)
Server 6 : Non DC w/o AD, Just a crash a nd burn server used for testing and where I get to game on my lunch hour :P
Now.... I have a user who will be logging in remotely using terminal services. I need to give him Access to only the Sharepoint Server so he can mange sharepoint ***ONLY***. I dont even want him to be able to access any network shared resources from any of the other servers.
The user is setup to login remotely using Terminal Services How ever I find that the user needs to be in some sort of Admin security group(aministrators, Domain Admins, Ent Admins,etc....) to be able to login remotely, or even locally for that matter, to any of the NON Domain Controller servers.
Domain Controller group policy and the local policies on all the other servers read the same for the following user rights.
Allow login locally = Administrators; Remote Desktop users
Allow login through Terminal Services = Administrators; Remote Desktop users
Then I manually set the following user right on all the servers i didnt want him to access
Deny login locally = <his user name>
Deny login through Terminal Services = = <his user name>users
This actually works to keep him from using terminal services to login to any of the other servers. But remember that If i dont have him in at least one admin security group he cant login to any of the NON DC servers. so of course ounce he gets into the sharepoint server he has all the access in the world to all of our top seceret data through their network shares :(
So I guess my questions are:
1.) Am i going about this the right way?
2.) Would it make a difference if all the servers where domain controllers?
3.) Would it make a difference if all the servers had the Role of active directory?
4.) Why is a user required to be on an admin security group to be able to login through terminal service on a server that is not a domain controller?
5.) How much wood could a woodchuck chuck if a woodchuck could chuck wood. :eek:
Thanx in advance :cheesy: