Lock down or limit user access on Windows Server 2000/2003

user-managementuser-permissionswindows-server-2000windows-server-2003

I am looking for a way to severely restrict user account access on Windows servers. Is there a way to programmatically do this? I have found a few options like forcing a user to start in a program other than explorer.exe such that it is the only thing they can access, and once they exit, they log off. I would want them to be able to do a handful of different things: run a few different apps, control printer setup, and start/stop a couple services. Am I asking too much? I'm prepared to write an application to do all these things, but I just wanted to know if there's a way to create a limited account using just pre-existing Windows settings. I could write this in VB6, VB script, a batch file, or C++. I guess if I were to write the app to do everything, I would need a way to programmatically change the start up for the limited account.

Best Answer

There should be no pressing need to write a customized shell for this purpose, especially since even a restricted shell can be circumvented in numerous ways. What you can do is

use whitelists for Software Restriction Policies to set the applications your user is allowed to run
set up permissions on your printers to allow control accordingly (note that there is no truly secure way to let a "printer administrator" install new printer drivers - the ability to install drivers would inherently bring the ability to compromise the system)
apply permissions (including start/stop permissions) on individual services

Best Answer

Related Solutions

Windows Server 2003 machine hanging on restart

Migrating from windows 2000 to windows 2003 server

Related Topic