Creating security group with grants decided in active directory - Server 2003
Hello
I need to create several different security groups for about 7 users with grant different access rights, but all users will access the same folder main and some of the same void records. I created a group with some of the users but appear to have access to all the folders there particular subfolder but I only want to have access to some of the folders in the selected subfolder.
I guess what I'm asking is how do I create groups of different security with grants decided for each groups and ensuring that users in these groups only have access and subsidies to certain folders.
I don't know if I explained myself properly but I certainly confused myself, I hope someone can point me in the right direction to solve this problem.
Thanks in advance
Jah
Jah,
For assistance, please ask for help in the appropriate Microsoft TechNet Windows Server Forum.
Thank you.
Tags: Windows
Similar Questions
-
problem with DNS on the active directory server unique
I have a client that I'm having a problem with DNS that they do not have active directory structure. I tried just about everything and at my wits end. Customers can get online, but the problem is that they cannot see the DNS. Any help would be much appreciated.
Ask in the forum Windows Server:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer -
Active Directory Server conversion
Hi all
I was wondering if there are problems when converting to a secondary Active Directory Server? or a second server active directory that does any of the FSMO roles. Are there any known issues with this kind of a P2V flip? or problems with replication, the Ad Server online as a virtual machine?
You are better off creating a new virtual machine fresh and execution of dcpromo. Then, run dcpromo on the former to remove it. In all projects that I did it, it's how I recommend doing.
Dave Convery
VMware vExpert 2009
http://www.dailyhypervisor.com
Prudent. We do not want to make of this.
Bill Watterson, "Calvin and Hobbes".
-
Create different group with VPN remote access
Hello world
The last time, I ve put in place a VPN for remote access to my network with ASA 5510
I ve access to all my internal LAn helped with my VPN
But I want to set up a vpn group in the CLI for a different group of the user who accesses the different server or a different network on my local network.
Example: computer group - access to 10.70.5.X network
Group consultant network - access to 10.70.10.X
I need to know how I can do this, and if you can give me some example script to complete this
Here is my configuration:
ASA Version 8.0 (2)
!
ASA-Vidrul host name
vidrul domain name - ao.com
activate 8Ry2YjIyt7RRXU24 encrypted password
names of
DNS-guard
!
interface Ethernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/1
nameif inside
security-level 100
address IP X.X.X.X 255.255.255.X
!
interface Ethernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface Ethernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
Description Port_Device_Management
nameif management
security-level 99
address IP X.X.X.X 255.255.255.X
management only
!
2KFQnbNIdI.2KYOU encrypted passwd
passive FTP mode
DNS server-group DefaultDNS
vidrul domain name - ao.com
access-list 100 scope ip allow a whole
access-list extended 100 permit icmp any any echo
access-list extended 100 permit icmp any any echo response
vpn-vidrul_splitTunnelAcl permit 10.70.1.0 access list standard 255.255.255.0
vpn-vidrul_splitTunnelAcl permit 10.70.99.0 access list standard 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 10.70.255.0 255.255.255.0
pager lines 24
Outside 1500 MTU
Within 1500 MTU
MTU 1500 management
IP local pool clientvpngroup 10.70.255.100 - 10.70.255.200 mask 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 602.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 10.70.0.0 255.255.0.0
Access-group 100 in the interface inside
Access-group 100 interface insideTimeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout, uauth 0:05:00 absolute
dynamic-access-policy-registration DfltAccessPolicy
Protocol RADIUS AAA-server 10.70.99.10
AAA authentication enable LOCAL console
the ssh LOCAL console AAA authentication
LOCAL AAA authorization command
Enable http server
http 192.168.1.2 255.255.255.255 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
SYSTEM_DEFAULT_CRYPTO_MAP game 65535 dynamic-map crypto transform-set ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
life 86400
Crypto isakmp nat-traversal 30
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 5
Console timeout 0
outside access management
dhcpd manage 192.168.1.2 - 192.168.1.5
dhcpd enable management
!
a basic threat threat detection
Statistics-list of access threat detection
!
class-map inspection_default
match default-inspection-traffic
block-url-class of the class-map
class-map imblock
match any
class-map P2P
game port tcp eq www
!
!
type of policy-card inspect dns migrated_dns_map_1
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the migrated_dns_map_1 dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
Policy-map IM_P2P
class imblock
class P2P
!
global service-policy global_policy
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.com
test 274Y4GRAbNElaCoV of encrypted password privilege 0 username
username admin privilege 15 encrypted password bTpUzgLxalekyhxQ
attributes of user admin name
Strategy-Group-VPN-vpn-vidrul
username, password suporte zjQEaX/fm0NjEp4k encrypted privilege 15
type tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.
context of prompt hostname
Cryptochecksum:d84e64c87cc5b263c84567e22400591c
: endWhat you need to configure is to imitate the configuration on the tunnel-group and group strategy and to configure access to specific network you need.
Currently, you have configured the following:
vpn-vidrul group policy internal
vpn-vidrul group policy attributes
Protocol-tunnel-VPN IPSec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
value by default-field vidrul - ao.comtype tunnel-group vidrul-vpn remote access
vpn-vidrul general-attributes tunnel-group
address clientvpngroup pool
Group Policy - by default-vpn-vidrul
IPSec-vpn-vidrul tunnel group attributes
pre-shared-key *.What you need is to create new group policy and the new tunnel-group and configure the tunnel split ACL to allow access to specific access required.
The user must then connect with the new group name and the new pre-shared key (password).
Hope that helps.
-
Version of Cisco ACS 5.1.0.44.3 integrate with active directory Microsoft windows 2012 R2 server?
Unfortunately, it does not support R2 2012
5.1 ACS supports all editions of:
Windows Active Directory (AD) 2000
Windows AD 2003
Windows AD 2003 R2
Windows AD 2008
Windows AD 2012 R2 is supported after ACS 5.5 patch 1 and following.
Please find below the steps to go from 5.1 to 5.5 hotfix 1:
STEP FILE COMMAND Apply the 5.1 patch 6 5-1-0-44 - 6.tar.gpg ACS patch install repository 5-1-0-44 - 6.tar.gpg ftp_repository_name Apply 5.3 ACS_5.3.0.40.tar.gz application upgrade ACS_5.3.0.40.tar.gz ftp_repository_name Apply the patch 5.3 8 5-3-0-40 - 8.tar.gpg ACS patch install repository 5-3-0-40 - 8.tar.gpg ftp_repository_name Apply the sharp Patch Pointed-PreUpgrade-CSCum04132-5-3-0-40.tar.gpg ACS patch installs Pointed-PreUpgrade -CSCum04132- 5-3-0 - 40.tar.gpg repository ftp_repository_name Apply 5.5 ACS_5.5.0.46.tar.gz application upgrade ACS_5.5.0.46.tar.gz ftp_repository_name Apply the patch 5.5 1 5-5-0-46 - 1.tar.gpg ACS patch install repository 5-5-0-46 - 1.tar.gpg ftp_repository_name Best regards ~ jousset
-
Dear all,
I am under domain, Active Directory and the backup server (Backup Exec) and called to account quick book on the same server.
Does make all the problems? Kindly looking for answers.
Hello
Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.
http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer
See you soon.
-
Server 2003 EnterpriseR2 copy eval
I installed a Server 2003 Enterprise eval copy, because we have not find the cd installation media.
Everything was very well, we have activated by Microsoft, until yesterday. 180 days later, our server wants to stop every hour, because the eval copy has expired.
It is a licensed version and has been activated.
Why the hell do you want to ask in a forum of Windows XP?
Post in the Windows Server Forums:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/ -
Need help with unblocking Port 80 on Windows Server 2003
Web browsing is disabled on a computer that is running Windows Server 2003. I think that Port 80 is the block, but there is no installed firewall or the router it blocks. Using the command IPCONFIG I can ping www.yahoo.com, but I can not connect to www.yahoo.com on the web browser. Backup software remote works very well.
In addition, there is no set of proxy server, everything is automatic "as it should". I have triple checked all the settings with Internet Explorer and Firefox.
Thank you for visiting the Microsoft Answers site. The question you have posted is related to Windows Server 2003 and would be better suited to the Windows Server TechCenter community. Please visit the link below to find a community that will support what ask you:
Cody C
Microsoft Answers Support Engineer
Visit our Microsoft answers feedback Forum and let us know what you think. -
Integration of AAA with RADIUS NPS Microsoft Active Directory
Hi all...
We are looking to centralize administrative authentication of our switches and routers using domain AD groups. The oldest switches being 3560 s. There are a lot of great guides online on how to do it using MS NPS, but they all seem to require NPS to the use of the PAP and SPAP for authentication methods between the RADIUS (switches) clients and NPS-clear text protocols. It is the only option to make this work? Of course, the main concern would be the high-level AD user passwords transmitted through the wire. Am I right in thinking that the AD passwords are indeed involved in the process and NOT only verification of the Shared Secret between the NPS RADIUS clients... and then membership in one group AD? Also, what would be a safe alternative where AD passwords would not be sent in clear text. Any clarification would be great...
Thank you... Dennis
Hello Dennis.
The password is not sent in clear text. Instead, it is encrypted by the n (in your case the switch) until this draft is forwarded to the Radius server. The 'shared secret' is used in the encryption process, that's why the secret is not sent over the network. In addition, this is why the shared secret should be complex. For more information, see the links below:
http://TechNet.Microsoft.com/en-us/library/cc771660%28V=WS.10%29.aspx
I hope this helps!
Thank you for evaluating useful messages!
-
Set the name of the network on a Windows 2012 without Active Directory Server
I have a Server Windows 2012 I use for DHCP, DNS and NAT on a network without a domain controller, and I don't want to create a domain.
When my Windows 7 clients connect, they identify the network with the name of 'network '. Is there a setting on the server, Windows 2012, that will allow me to change the name that clients identify the network with? I want something that is on the side Server and not to go and rename it on each client manually.
I noticed low-end devices how as access points, modems etc use their own custom network that clients identify their network with, so I guess it cannot be something too difficult...
Thank you in advance.
Support is located in the Windows Server Forums:
http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/ -
Best way to upgrade of domain Active Directory from 2003 to 2008
I have a specific situation. I need to upgrade an AD 2003-2008r2. We are not comfortable making the leap for 2012. Basically, the original design was 5 offices of each with a domain controller. Each domain controller has a file share, but also the "Users" folder I thought up starting with the new servers side by side. DCPromo the 2008r2 new servers to domain controllers. What is the best method to move the file shares and files users in this case? Once files are moved I can then DCPromo down servers 2003 and raise to the 2008 field. All IP addresses are static throughout the environment. He didn't design this way... but having to deal with it.
This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers) -
Cisco ASA 8.3 ldap AAA configuration Microsoft active directory server fails
Hello
I'm trying to implement authentication ldap for remote vpn ssl users like the image below:
When I try the test button and enter a user name and password I get the message ' authentication rejected: user not found. "
Why? Please help, I am running out of options here... Thank you much much in advance.
Use the DN of connection according to the following format.
[email protected]/ * / _name and let me know how it goes.
If the suggestion above does not work then please run the debugging ldap 255 and paste the result here.
Rgds, jousset
The rate of useful messages-
-
4.2 ACS Cisco with Active Directory integration
Hello
I m new in the administration of the ACS, we have recently implemented on ACS version 4.2 Server
to manage all the authorization of users in our network.
We are in an environment with at least one Active Directory server, group, and users.
Now, I m just able to create a new user in ACS and work with the switch of the customer, do I have to do, is to integrate my 4.2 ACS with Active Directory.
to work with the user and group that a registry in my ad.
Can someon help me please?
Hello
If you use windows server for CE 4.2 Installing you just need to do this the domain member server.
-
/ * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}
Hello
I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)
I create several groups within the Active Directory server, I try to give to users for their groups different access rights.
I tried to define an access policy "NetOp/NetAdm" and two authorization rules:
Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0
Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0
Default: refuse
In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.
But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.
My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?
The stages of monitoring:
Measures
Request for access received RADIUS 11001
11017 RADIUS creates a new session
Assess Service selection strategy
15004 Matched rule
Access to Selected 15012 - NetOp/NetAdm service policy
Evaluate the politics of identity
15004 Matched rule
15013 selected identity Store - server RSA
24500 Authenticating user on the server's RSA SecurID.
24501 a session is established with the server's RSA SecurID.
24506 check successful operation code
24505 user authentication succeeded.
24553 user record has been cached
24502 with RSA SecurID Server session is closed
Authentication 22037 spent
22023 proceed to the recovery of the attribute
24628 user cache not enabled in the configuration of the RADIUS identity token store.
Identity sequence 22016 completed an iteration of the IDStores
Evaluate the strategy of group mapping
15006 set default mapping rule
Authorization of emergency policy assessment
15042 no rule has been balanced
Evaluation of authorization policy
15006 set default mapping rule
15016 selected the authorization - DenyAccess profile
15039 selected authorization profile is DenyAccess
11003 returned RADIUS Access-Reject
Thank you
Christophe
I think you need to do is to create a sequence of identity with RSA as a selection in
Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service
-
Has anyone created new security groups... and how did you do
We have problems with giving people the opportunity to view and modify other emails/forms/etc. Anyone who sets up security to pull away, specifically, groups the possibility to remove or modify? Not everyone who uses our system needs to change or remove, so I wasn't sure if someone had created security groups that pulls this ability of some specific users...
Thank you!
When I told our CSM, she said you have to contact support and they can do it on a case-by-case basis. But we seek to implement the same thing, it would be interesting if you managed to get this Setup.
Maybe you are looking for
-
Product name: G5350uk: Windows detected a hard disk problem
Hello Windows 7 Serial number: [personal information deleted] Product name: G5350uk Number of hard driveT3750528AS Windows and Intel are telling me that my hard drive is about to fail, but no reason is given. The drive is only about a third full. I
-
Run Vista64 installation without back to their original factory condition?
Is there a way to run a Vista64 OS repair without having to return to their original factory condition? I cloned my HD 600GIG that came in my a6530f to a GIG HD 1000 Pavilion and uses the original HD as an external drive for backup using an eSATA in
-
What is qDebug() and 'bb.action.START '.
1. I see this code in the sample of BB application of BB::System:InvokeRequest; request.setTarget ("com.example.HeadlessApp");request.setAction ("bb.action.START");m_notify-> setInvokeRequest (request); I understand the code. But when I try to study
-
BlackBerry smartphones can not make calls from the home page or the phone book.
I've had my curve for several months now and the other day, that my most young got a hold of it... I don't know how they do it, but my children can do things with my phone and computers that I did not know they could do... In any case I tried to acce
-
Display the sidebar (left), all the time, what you see when I put them to the top of "My Computer". Topics such as: Folder tasks Other places Details How do I get them? More importantly, how can I get rid of this display?