GP on Domain User to Restrict other PC Access

Hi Team,
Thanks for reading, I have the following scenerio -
Being the administrator of Domain i have to restrict other domain user to access other PC.
Domain User should not able to access the other PC's WITHIN the domain.
Awaiting for your response..
OS - Windows Server 2008 R2.
Client pc using OS- Windows 7
Thanks,
Regards, Ravi Kumar

Hi,
you can set the User Attribute "userWorkstations"
Source of Picture: http://www.selfadsi.de/user-attributes-w2k8.htm
So yo can restrict where the users can logon.
Is this what you searched for?
Regards
Eric
Eric Berg -- http://www.ericberg.de -- MCSE: Private Cloud MCSE: Server Infrastructure MCSE: Desktop Infrastructure

Similar Messages

Domain user authentication for 3650 Wireless Access point

Dear All,
I have got new proposal inorder to configure the wireless access points by managing with the 3650 wireless controller.
We wanted to block the Wifi Access to mobile users.
Only domain users need to be authenticate to the corporate wireless access.
We have 3650 switch as a wireless controller and ISE in place. Kindly guide me the achieve the same. Attached the setup diagram.
If possible share the sample configuration and it would be helpful.

Please refer
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

Cisco ACS - HOW ARE INTERNAL USER'S RESTRICTED IN THEIR ACCESS TO RESOURCES

Does anyone have any insight into this process. Please advise.

Hi Eduardoaliaga,
I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
1) https://supportforums.cisco.com/thread/2061835
2) http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/eap_pap_phase_ps9911_TSD_Products_User_Guide_Chapter.html#wp1031191
3) https://supportforums.cisco.com/message/3581951#3581951
Thks and Rgds

Difference between Domain\Domain Users and Everyone Group in SharePoint

Hi,
In SharePoint 2013, is Everyone Group an AD group ? Please help with details.
Thanks
srabon

Hi All,
Domain Users, Authenticated Users, or Everyone
Domain Users
The Domain Users is the only real group of the 3 listed above. By that I mean you can add and remove members from this group. Domain Users is a Global Group in the domain, and it can only contain users that are members of same domain the Domain
Users group resides in. By default all users created in the domain are automatically members of this group. However, the default Guest account in the domain is NOT a member of Domain Users, instead it is placed in the Domain Guest group.
Because Domain Users is generally considered the most secure group of the three listed above.
Authenticated Users
Authenticated Users was first introduced in Windows NT 4.0 SP3. This is a built-in group and cannot be modified. The Authenticated Users group contains users who have authenticated to the domain or a domain that is trusted by the computer domain.
Authenticated Users contains all manually created user accounts in all trusted domains regardless of whether they are a member of the Domain Users group or not. Authenticated Users specifically does not contain the built-in Guest account, but will contain
other users created and added to Domain Guests.The Authenticated Users group also includes the local computer account (computername$) and the built-in SYSTEM account.
Everyone group
The Everyone group includes all members of the Domain Users, Authenticated Users group as well as the built-in Guest account, and several other Built-in security identifiers like SERVICE, LOCAL_SERVICE, NETWORK_SERVICE, etc. NULL session connections (aka
anonymous logon) used to be included in this group but were removed in Windows 2003. This is a built-in group that cannot be modified.Because the Everyone group contains the Guest account, and several other Built-in security identifiers like SERVICE,
LOCAL_SERVICE, NETWORK_SERVICE, etc. is generally considered the least secure of the three groups.
Short Answer is there isn't much to worry about unless folks are logging I with a guest account or you have removed a bunch of folks from the domain users group
-Ivan

Accessing SSRS report for Domain Users

Hello,
I have created the SSRS report and deployed it on report server. I would like to add browsing credential to all the users in the User Domain. so i have added the domain name on report server but even domain users are not able to access these report.
Please help me to resolve this issue.

what error they are receiving while browing the reports?
Hope you have provided the permissions on the reports as mentioned in below links:
http://technet.microsoft.com/en-us/library/ms157363(v=sql.105).aspx
http://technet.microsoft.com/en-us/library/aa337471(v=sql.105).aspx
http://technet.microsoft.com/en-us/library/aa337385(v=sql.105).aspx
http://technet.microsoft.com/en-us/library/aa337494(v=sql.105).aspx
Please click the Mark as answer button and vote as helpful if this reply solves your problem

"Unable to check revocation" error while checking CDP from non-domain user account

Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian

Anywhere access domain users and rights

Hello,
I am working with anywhere access on server 2012 R2, and I am wondering if it has the ability to use the existing domain user rights to existing file share's and folders instead of using its own system.
For example I added a new share and pointed it to an existing folder thinking it would be able to see all of the files in it. That did work, but then it also gave all users in my domain rights to that folder. So it is not using the existing domain
user rights to the folder that was already existing. Is this a bug or a feature?
Also I cannot add a folder on our storage cluster. The cluster servers and the clustered server doesn't show up in the list.
It could be that this is the wrong product for what I am trying to do, but it seems like it has all of the features that I want.
Dan.

Hi Dan,
What is the shared folder’s NTFS permissions? If the domain users group have permissions to access the shared folder, all users in domain can access the folder.
For more detailed information, please refer to the article below:
File and Folder Permissions
http://technet.microsoft.com/en-us/library/bb727008.aspx
For storage cluster, I suggest you ask for help from cluster forums to get more better and accurate answer to the question.
http://social.technet.microsoft.com/Forums/en-US/home?forum=winserverClustering
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Is there any way to provide only Install / Uninstall rights to domain users in AD 2008?

I need to provide just Install / Uninstall rights to domain users avoiding all other admin privileges.
I cant provide admin rights to them.
Is there any way I can provide them???

Greetings!
Install and uninstalling the software needs specific permissions to write and modify the registry keys and other locations. By default only members of local administrators group are allowed to take a part in this process. There is no possible way to implement
only this right in your domain. They must be member of local administrators.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers?

Allow connection to RDS applicatoins and restrict RDP connection for domain users

I have configured RDS setup, with the following Roles: RD Web Access, RD Gate Way, RD Connection Broker, RD Session Host and RD Licensing.
the problem is that the domain users can't run the published applications unless I add the "Domain Users" group into the remote desktop users on the RDS servers, but now all domain users can connect RDP to the RDS servers.
so we need domain users to connect to the RDS published applications and restricting them from connecting RDP to the RDS servers, in addition I can see that internal servers are accessible from outside through the RD gateway server.
any ideas ?

Hi,
Thank you for posting in Windows Server Forum.
For a test you can create one group, assign the specified user under that group. Add that group under “Remote Desktop User” local group. For getting access to published Remote Application you can simply assign\add the group under collection properties of the
application and that user can get access.
For restricting user to server remotely, you can add that group of user under “Deny logon through remote desktop service” under User Rights assignment. Also you can check “Deny
New User Logons to an RD Session Host Server” settings.
Hope it helps!
Thanks.
Dharmesh Solanki

Restrict access of "domain user" to specific computer

I need to restrict access of "domain user" to a specific computer in the domain/
I try to Do it by using "Active Directory Administrative Center"
In Computers\Computer name\Properties\Extensions\Security
I add the name of user and I marked deny to all and I canceled inheritance
And yet the user can login to the computer
I searched Policy that contradicts the security and I not found.
With the "gpo" I was able to block, but I need necessarily used the Security
Because of Security can be partial restriction.

Hi,
Based on your description, I understand that you want to allow some certain users to access specific domain
computers.
Please open ADUC (Activity Directory Users and Computers) and click User container. Then select that specific
user account, open its Properties and navigate to Account tab. Please click
“Log On To…” option to open Logon Workstations panel. In Logon Workstations panel, please change
This user can log on to: All computers to The following computers. Then type the specific computer names. Please check if this can help you to achieve target.
If anything I misunderstand or any update, please don’t hesitate to let me know.
Hope this helps.
Best regards,
Justin Gu

How could it be possible to completely restrict other users to view any sites through firefox browser with the help of password ?

I want complete control of firefox browser for my computer.
For example:
There is a similar feature in Internet Explorer which is called 'Content Adviser'.
To restrict others for viewing sites through Internet Explorer here is what has to be done:
1. Click to open Internet Explorer.
2. Click the Tools button, and then click Internet Options.
3. Click the Content tab, and then, under Content Advisor, do one of the following:
*Click Enable. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
*If you've previously enabled Content Advisor, click Settings, and then type the supervisor password. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
4. To allow others to view restricted content, click the General tab, and then select the Supervisor can type a password to allow users to view restricted content check box.
5. To allow others to view unrated content, select the Users can see websites that have no rating check box, and click OK.
6. If a supervisor password has not previously been set up for Content Advisor, you will be prompted to create one.

Looks like verdana is selected to 'off' in font book. Not sure if this could be the reason as to why i'm experiencing problems.

Is there any other way to achieve per user call forward restriction other than to create multiple voice policies?

Hello,
We mentioned the environment details below:
Environment
In our PBX environment, currently a user can forward calls to any local (within a region) internal extension. But for external PSTN call forwarding, a user needs to send a request and be approved by their manager. And the forwarding restriction
is applied such that user is only allowed to forward to that particular PSTN number - to prevent toll fraud.
Moving forward to Lync, using voice policy's call forwarding and simultaneous ring PSTN usages, I can set it to allow forward and simultaneous ring to custom PSTN usage and a custom route that will only send calls to these pre-approved
external numbers.
Outcome
But in such a scenario,
sSince all the custom external allowed numbers will have to be put into a single Route match table, User A will be able to successfully
set up call forward to User B's number. (if they come to know about it somehow, that is)
rü
Route matching list will be very long due to the number of users per hubsite that has call forwarding enabled.
Questions
Is there any other way to achieve per user call forward restriction other than to create multiple voice policies ? MSPL may be ?
2. Is there a limit in the number of entries you can have on the Route pattern matching regex expression ?
Please advise. MANY THANKS.

1) I think multiple policies may be your best bet, though it's not a fun one to manage, I agree. MSPL could do it, but it would be more complex to maintain in the end. Even gateways have limitations on routes.
2) I'm not aware of a limit, though I'm not saying there's isn't one. But if you hit it, you could move to a second usage/route combo.
I'd suggest building out some PowerShell usage/route creation/organization script for this so it's not something that would need to be maintained within the GUI.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Problem in sending email to other domain users

Hi All,
I am using javamail for sending emails and able to send to people within my exchange server domain. The problem is i am unable to send mail to other domain users like yahoo.com, hotmail.com..the error it is throwing out is *"Invalid Address"*
Is there any spaecial API for this to work?
Thanks,
Kishore

More details, please.
Please read the JavaMail FAQ. Post the protocol trace if you can't figure it
out yourself.

RDS 2012 R2 - Allow Some Users Multiple Logon Sessions and Restrict Other Users to a Single Session

In Server 2012 R2 RDS, is there a way to allow some users to log on multiple times, but restrict other users to a single logon? On an OU or AD group basis?
I know there is a GPO setting under Computer Configuration for restricting users to a single logon, but this does not allow me to differentiate on a user basis (only on a per server basis).
Thanks,
James

Hi James,
From my perspective and knowledge, sorry to say but there is no such option\way to provide this permission at same time. If a user specifies a different program to start when the user connects to the RD Session Host server, a new session will be created on
the RD Session Host server for the user, even if the RD Session Host server is configured to restrict users to a single session. A user can specify a program to start on connection on the Programs tab under Options in Remote Desktop Connection.
Hope it helps!
Thanks.
Dharmesh Solanki
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Chmod -R 700 on home directory doesn't restrict other users

Hi All,
I have several users sharing a mac. I wanted to secure my home directory so I opened a terminal and typed:
cd /users
chmod -R 700 alandye
a ls -l confirmed permissions recursively changed for my home directory and subsidiary directories and files had been set to og-rwx.
Then, I logged in as a different user (tknoble) , and tried to access the directory (alandye)through the finder that I had just restricted permissions on, and viola, I could read any file in there.
This doesn't happen on Unix or Linux, why is it happening here? I tried restricting account tknoble to non-administrative, but got the same problem.
Net/net, finder seems to be ignoring the posix file permissions.
Can anyone explain why this is happening?
thanks,
Alan

... Still, the ACL issue and the open default permissions including the default umask on the Mac has me perplexed. I've used ACL's for years as a system manager on mainframes and other secure enterprise unix platforms, generally through a central administrative console like RACF or ACF2 on the mainframe. It identifies all ACL's on the system and allows you to administer them centrally. The idea that my mac has system generated ACL's that are only accessible through chmod on a file by file basis and are inherently set with open permissions seems like a bad security setup.
First, the default permissions and umask values have been typical of Unix systems since I started using them back in '85. And even in the Family situation, allowing family members the ability to share information is not uncommon, and can be frustrating to the family if everything is totally locked up.
Plus your complaints about ACLs, it just a side issue, as the /User/username folder should have only had an ACL that prevented accidental deletion. Your real problem was cached Finder information. So this ACL discussion is just a tangential issue.
Second, a Mac is a mass market consumer personal computer, with a strong leaning towards 1 person being the owner and user of that computer. It is not typically sold as a Mainframe replacement. Having tightly locked down, no access default permissions and umask just makes life extremely difficult for the mass market consumer.
Applying Mainframe rules to a Mac is only going to frustrate you.
As for having an ACL admin tool besides chmod, for the most part consumers are not aware of ACLs, they are used sparingly on the Mac, and as such it is not something Apple has felt a need to invest in. Maybe there is a 3rd party utility that will provide this service for you.
While investigating this I did discover a similar problem with a RAID array I have attached with similar file permission problems. chmod -R 700 on directories does set the permission bits correctly, but again, finder bypasses them and allows access for other users, even after a reboot. Apparently, according to this http://hints.macworld.com/article.php?story=20020418091450891 the externally attached drives ignore ownership by default.
Again, the Mac is a mass market consumer item. Just about every external drive on a Mac is a detachable device, which can be moved around to other Macs, etc... (especially USB thumb drives, SD cards, etc...). Having these devices default to strict security would again frustrate the mass consumer Mac user, when all they want to do is get their pictures off of the SD card, or move files between 2 computers, etc...
My point is that the defaults Apple has selected are targeted to the mass consumer Mac user. Not the data center mainframe user.
I would encourage you to give Apple feedback on your experiences
<http://www.apple.com/feedback/macosx.html>
or
BugReporter
<http://bugreporter.apple.com>
Free ADC (Apple Developer Connection) account needed for BugReporter.
Anyone can get a free account at:
<http://developer.apple.com/programs/register/>

GP on Domain User to Restrict other PC Access

Similar Messages

Maybe you are looking for