1

I am looking for a way to severely restrict user account access on Windows servers. Is there a way to programmatically do this? I have found a few options like forcing a user to start in a program other than explorer.exe such that it is the only thing they can access, and once they exit, they log off. I would want them to be able to do a handful of different things: run a few different apps, control printer setup, and start/stop a couple services. Am I asking too much? I'm prepared to write an application to do all these things, but I just wanted to know if there's a way to create a limited account using just pre-existing Windows settings. I could write this in VB6, VB script, a batch file, or C++. I guess if I were to write the app to do everything, I would need a way to programmatically change the start up for the limited account.

Joe M
  • 107
  • 1
  • 16
  • 3
    You need to be more specific about how these users will be accessing the servers. Are you running a terminal server, or are you just talking about a file server. Are these users at the physical console? Do you have an active directory, are these servers domain controllers? – Zoredache Feb 03 '12 at 21:54
  • This is a terminal server. The users are sometimes Remote Desktopping into the server, and sometimes there in person, but always using a server-specific "admin" account. Some of the servers use Active Directory, and a handful are domain controllers. There is no consistency between setups, which is part of the trouble. – Joe M Feb 06 '12 at 16:23

2 Answers2

2

You want to take a look at Group Policy. I'm assuming this is in a domain, otherwise you'll have to do it on a per server basis. You should be able to do most of what you want without resorting to writing custom scripts, although the older versions are less inclusive than the current GPOs.

As an aside, is there any reason you're using such old versions of the OSs?

Holocryptic
  • 5,665
  • 2
  • 29
  • 37
  • I've been looking at Group policy, but it seems to require going through Active Directory to set up. As for the OS, well, you know how legacy code and systems are sometimes. We do what we can with what we're given. ;) – Joe M Feb 06 '12 at 16:23
  • @JoeMajsterski Then you'll want o take a look at Local Security Policy instead. Group Policy is just an extension of that. – Holocryptic Feb 06 '12 at 20:06
1

There should be no pressing need to write a customized shell for this purpose, especially since even a restricted shell can be circumvented in numerous ways. What you can do is

the-wabbit
  • 40,737
  • 13
  • 111
  • 174
  • I'll look into those things. As for the shell app, I don't think we need to worry about malicious attempts to get around the restrictions. These are coworkers, after all! We're mainly concerned with inadvertent mistakes which distort the state of servers from what they were in when problems are reported versus when the problems actually occurred. – Joe M Feb 06 '12 at 16:25
  • The biggest problem I see with these ideas is that I need to be able to do this programmatically, not just by using the windows settings directly. I have not see anything yet to indicate these programs can be run through a command line with switches. – Joe M Feb 06 '12 at 19:46
  • @JoeMajsterski I believe most of the settings would have APIs. It's just that admins usually do not deal with them as settings are propagated using Group Policies or security templates. If you have specific API questions, feel free to ask over at http://www.stackoverflow.com – the-wabbit Feb 06 '12 at 21:08
  • Because of the complexity of the limitations we need, and the fact that this would need to be done programmatically across many many servers with significant variation in their setups, we have decided to write a new shell application with just items we want the user to have access to. However, this is a good list of items to look at for altering permissions, so I'll give you credit for the best answer. Thanks! – Joe M Feb 08 '12 at 17:10