In a small network of up to 5-6 computers, the objective is to set up access to 1C. A terminal server has already been established, along with a VPN for Internet access.
However, half of the users require access only to 1C and not other shortcuts on the remote desktop, such as My computer, local disks, the Network, Control Panel, Administration, and so forth. The other half will need to access some of these features. While it's possible to assign folder rights to each user or group through Security properties, clearing Desktop and Start items proves to be more challenging. After researching online, it's apparent that this can be done through Group Policies, but only in a domain network.
Therefore, the question is whether a domain controller should be raised for only a few users, even though it seems complicated.
What's the point of having a domain? I can only think of two reasons, which are centralized account management and control over user rights. However, for a system with just 5-6 computers, having a domain seems unnecessary. It's already possible to configure local user policies using tools like gpedit.msc and the registry.
You can even set restrictions on viewing file systems and enforce launching only specific applications like 1c through user properties.
If you have a small network of 5-6 computers, it might not be worth deploying a domain due to the amount of effort required. However, manually administrating up to 10 computers is feasible.
Additionally, using a "Thin Client" system with WinCE or Linux could be a good option for users who only need access to certain programs. This would eliminate the need for Windows and allow for automatic connection to the server with the designated program set to autorun.
The remaining tasks can be managed through local policies or remote registries.
Local group policies can be accessed on the server even without AD, through gpedit.msc. To control access, limit access to slaves and publish applications without allowing web access.
Instead, manually place the applications on clients by providing an rdp file or generating an msi package for client use.
Setting up a domain controller for a small network with only a few users may not be necessary, as it can add complexity to your network setup. However, if you anticipate the need for additional features and policies in the future, or if you want to centralize user management and security, setting up a domain controller could offer benefits in terms of scalability and ease of administration.
If you decide to proceed with a domain controller, keep in mind that it will require additional hardware resources and configuration. You'll need to install Windows Server operating system, configure Active Directory, and set up group policies to enforce the desired restrictions on user access.
Alternatively, if you prefer to avoid the complexities of a domain controller, consider exploring other options within your current setup. For example, you may be able to achieve the desired level of access control by configuring local group policies on the terminal server itself. This approach would allow you to restrict access to specific features and shortcuts for different user groups without the need for a domain controller.
Here are some additional considerations when deciding whether to raise a domain controller for your small network:
1. User Management: If you anticipate needing centralized user management, such as user account creation, password policies, and group membership management, a domain controller can simplify these tasks. It allows for a unified user authentication and authorization mechanism across multiple computers.
2. Scalability: If you expect the network to grow in the future, setting up a domain controller early on can make it easier to add new users and computers. It provides a framework for expansion and simplifies the management of user permissions and access control.
3. Security: A domain controller can enhance security by enforcing consistent security policies across the network. It enables features like centralized user authentication, password complexity requirements, account lockout policies, and more.
4. Simplified Administration: With a domain controller, you can centrally manage and apply group policies to control user access and desktop configurations. This simplifies the administration process and ensures consistent settings across multiple computers.
5. Integration with other Microsoft services: If you plan to use other Microsoft services, such as Exchange Server or SharePoint, having a domain controller can facilitate integration and provide a single sign-on experience for users.
However, if your network remains small, and you don't foresee a need for advanced user management or scalability in the near future, you may consider sticking with the existing setup and explore alternative solutions to achieve your access control requirements.
Setting up a domain controller for just 5-6 boxes is total overkill - you're deploying a sledgehammer to crĐ°ck a nut. Just use Local Group Policy Editor (gpedit.msc) on the terminal server itself, no need for AD.
Tweak user profiles via RDP properties and folder redirection. Keep it lean - no domain bloat.