I am new to setting up Server 2003, please bear with me.

I have A.D. installed and have created my user accounts which reside in
logicaly named O.U.'s. I have joined all of the machines (28 of them) to the
domain.

All of the user accounts I have given Domain Admin permissions (on a
temporary basis.)

I worked of off a server a few years back that had security in place that I
would like to duplicate, but alas I do not know how to set this up.

What I want to setup is this:

1.) When the users browse the network I want them Denied Access to all
machines except their own.

2.) I have a shared Home directory on the server with departmental type
folders residing within. (Eg: Warehouse, Mill, Geology ...etc) I want to
apply permissions to these folders so that one deptartments users cannot go
wandering through the others data.)

Right now if a user logs on over at the warehouse the user can browse to the
machines on the network and access them. I have removed all shares from all
machines so all the see is the Task Schedule and shared printer if
applicable.

The users can also go to the Home directory and browse through all of the
others folders. I understand that I must create user groups and then apply
permissions to that group...but do I use Group Policy to do this ?

I would love dearly to know how to set this server up properly but am short
in the knowledge dept, From what I have been reading on this site this should
be an easy post for most of the techs.

Thanks for all the help.

First of all, remove all users from domain admins. This is a MAJOR
security breach.

You can deny users access to machines except their own in Active
Directory Users and Computers (properties of the user).

Create a home folder on the AD machine, share it with full permissions
to everyone, and again under properies of the users in ADUC put
\\server\home\%username% in the home folders box. (NTFS permissions will
not let users browse eachtohers directories).

Check out the 70-290 book from microsoft press, it contains alot of
useful information about what you are asking.

http://www.microsoft.com/MSPress/books/6469.asp

/daniel heimburg

DSEDM skrev:

I followed your directions and entered \\server\home\%username% in the bottom
Home folder box (used the drive letter Z Domain Admin was removed from the
account and Domain User has been left in place.

The user folder was created within the shared Home directory after applying
\\server\home\%username%

I logged back in with that user logon and I can still open the computers
that are listed in the domain.

I am on the right track because this seems very familiar but there is a step
missing from what I recall.

And yes indeed I will be going down and picking up the MS Press book, thanks
for the link.

Thank you very much for your time.



"Daniel Heimburg" wrote:

What exactly do you mean by "I logged back in with that user logon and I
can still open the computers that are listed in the domain."?

Can you browse the administrative share \\client\c$ or is it some share
the users have created that you browse?

/daniel heimburg

DSEDM skrev:

I will take this step by step kind sir, I know it must be frustrating for
someone that has solid experience in this field.

I create a user named user1 in A.D.

On the A.D. machine I create the shared folder Home and give Everyone full
permissions.

I go to the properties of user1 and enter \\server\home\%username% in the
Home folder box. I leave the Z: in place over to the left of the Home folder
entry box.

I also check to make sure Domain Users is only listed in Member Of.

I go to a computer sitting in another location like the warehouse. Using
that machine in the warehouse I logon to the domain using the user1 account.

I open My Network Places... I then click on Entire Network ..I then open
Microsoft Windows Network ... I then open the Domain that is showing. I now
see all of the computer icons (28 of them) that belong to the Domain.

I double click each computer ... they open showing the default shares
Printers and Faxes and Scheduled Tasks ... if there are other shares on that
machine they will show as well.

What I desire is to have the Access Denied message popup when users try and
open other machines that are listed in the domain.

Again thank you for your kind help.



"Daniel Heimburg" wrote:

I dont understand why you want to prevent users from doing this.
However the easiest way to prevent them from browsing other computers is
to turn on the firewall on the clients.

/daniel heimburg

DSEDM skrev:

Thanks for your time, I will post the solution once I have it.



"Daniel Heimburg" wrote: