• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Local Server Logon and Restrictions

B

b.15101r.14944a

Junior Member
New guy here,

We have a server 2008 R2 (32) which is a domain controller, we recently switched from open storage (6 raid-5 drives in the server) to closed storage (removing the drive) every night. I do not want staff pulling the power on a domain controller every night to remove the drives, so I looked in the GPO "log on locally' and 'allow shut down'.

This works, however, the temptation is there to 'look around', see what we can see, etc.

Is there a way, either a security setting or a batch file that staff without admin right can log onto a server, down the server correctly, but not open windows explore.

I am thinking some way to write a script "IF logon server = \\DCSERVER then noaccess browsing" something like that, that is your are not an admin, and log onto a server, your Windows Explorer rights are limited. I have created a group, so, the group name can be used

Thanks.

b
 
Not an answer to your question but i'd suggest rethinking the whole thing. Why are you removing the drives every night?
 
Hello,

Can't just hit the power button, need accountability of "who" is using server, and removing the drives comes at management request - both are not options I can change,

BTW - what if my approach if different, instead of a script, use a local policy to simply "hide the C: drive" much like in the standard GPO.

Is there a way to:
a. create a local group
b. turn on Allow Shut Down for that group
c. This only applies to the server they are logging onto locally.
 
If the drives are SATA or Firewire, you should be able to hot plug and unplug them without any damage. I'm not sure how that applies in a RAID installation.
 
Add the group to

Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment | Shut down the System

I have to say this is one of the oddest management requests ever. You're risking damage to the drives every time you touch and transport them. Tapes exist for offline and offsite backups as they are very durable and can take a beating.

Is this the only domain controller? If so, how and when do you back this system up if you remove the drive after hours?
 
This sounds like an absolutely terrible idea.

You're letting someone walk around with unencrypted keys to the kingdom.

I fail to see any justification in this.

Also, in Server 2008 R2 and 2012, you have to be a Domain Admin to have local login rights to a DC. They could RDP in, but for console access, they need to be a Domain Admin.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top