How to create an account in the domain with access to only 1 folder and be able to log on RDP?

There are 3 file server on Windows Server 2008R2 (domain). We need to provide the employee a third-party organization access to a specific folder (D:\Program files\SOFT\) on each file server under one account. Employees will connect using RDP to upload several MB of data to perform .exe file is (specified) and off.
Option to prescribe rules prohibiting NTFS for each directory, in addition, how will the user I don't like.
April 4th 20 at 13:01
1 answer
April 4th 20 at 13:03
Details enough.
First, as already noted in the comments, terminalni - they have you?
Or how all RDP organised?
Ie he will be on every server to go separately for RDP? Just with vneski? Or maybe you are set up AD Federation Services?
Can Claims-provider trust and the relying-party trust there is a need to implement?
Or Dynamic Access Control with user claim is applicable here.
Access to the folder - OK. With what permissions?
And at what level of integrity does this "EXE"? I.e. there may be different dependencies and requirements for the program in terms of permissions on directories and so on? And can not be avoided then escalate privileges.
Terminalia no. Access need for service "consultant" organization. Access is only needed in the directory "Consultant +" and user's profile.
To connect will either be for external addresses (prosrochena ports), or first to the VPN server, and then inland locations.

The integrity level is medium.

NTFS rights on the directory" consultant +" - full access.

In fact, you need to arrange access with protection from accidental sabotage - Garret_Barrows commented on April 4th 20 at 13:06

Find more questions by tags Active DirectoryAccess rights