Re: Windows 2000 User Settings

Policy? Do you mean Group Policy objects (GPO)? Unless you intend to have multiple users on the laptop or just want to "thinker" you don't need to use GPO's. Otherwise, the information is in the link I provided earlier, from that article:

Administrators are all-powerful. The default Windows 2000 security settings do not restrict administrative access to any registry or file system object. Administrators can perform any and all functions supported by the operating system. Any right that the administrator does not have by default, they can grant to themselves.

Ideally, administrative access to the system should only be needed to:

• Install the operating system and components (including drivers for hardware, system services, and so forth).

• Install Service Packs and hotfixes.

• Install Windows updates.

• Upgrade the operating system

• Repair the operating system.

• Configure critical machine-wide operating system parameters, for example, kernel mode driver configuration, password policy, access control, and audit functions.

In practice, administrative accounts must often be used to install and run legacy Windows-based applications.

and:

Power Users are ranked between Administrators and Users in terms of system access. The default Windows 2000 security settings for Power Users are backward-compatible with the default security settings for Users in the Windows NT® 4.0 operating system. In short, Power Users are indeed powerful.

Ideally, Power Users should be able to perform any task except for the administrative tasks described above. Thus, Power Users should be able to:

• Install and remove applications per computer that do not install system services.

• Customize system-wide resources (for example, System Time, Display Settings, Shares, Power Configuration, Printers, and so forth).

In practice, Power Users cannot install many legacy applications, because these applications attempt to replace operating system files during the setup process.

If you are concerned about ActiveX controls and security there is one program that you should just avoid using and most of your ActiveX security concerns will be taken care of.

John

Bill wrote:

Thanks. Along with your link, I found this page:
http://www.comptechdoc.org/os/windows/win2k/win2kusers.html
and I've got most of what I need.

What I can't find is, where are the policies for installing programs and
ActiveX controls? Or is that what "act as part of the operating system" is?

Bill.



"John John" wrote...

If you restrict your privileges too much you will soon tire of the
constraints imposed by having a low permissions account. To make
matters worse some of the poorly designed software might not run too
well if you don't have elevated permissions. I certainly wouldn't want
to use a "personal" computer with any less than a Power User account.
Computers in corporate environments are a different matter, most users
should be kept to the lowest privileges possible. The information here
should answer some of your questions:

Default Access Control Settings in Windows 2000


http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/secdefs.mspx

Don't forget to disable the Guest account, it's an unnecessary security
risk.

Bill wrote:


Thanks to both of you!

Can you comment on my strategy - that my main daily, working account

cannot install

programs?

I'm very new to Windows 2000, and I want to set this laptop up for

maximum stability.

How do you guys set up your Windows 2000 computers? How many, and what

types, of user

profiles do you set up?

Bill.



"Stubby" wrote...


In D&S there is a hidden profile named "default". This is copied to
each new user you create. You can also put things in "All Users".
These will appear in addition to what is in each user's private Profile.
Specifically, the Desktop is one file in a profile.


John John wrote:


Copy the Administrator user profile to user Bill. Search the Windows
Help files for "User Profiles" for more information.

Tip: You must have administrative privileges to copy profiles. You
cannot copy or delete a user profile that belongs to the currently
logged on user or any user whose profile is in use. Create a second
Administrator account then when logged on to the second Administrator
copy the profile from the other Administrator account to Bill's

account.

John

Bill wrote:


95% finished setting up my new Windows 2000 computer, all from the
Administrator
account. For safety's sake, I want my main daily work user account to
not be able to
install programs, so I created user "Bill"

Of course, when I log into that "Bill" account, it doesn't have the
desktop, startup
programs, etc. of the Administrator account.

How can I set up a Windows 2000 user account that has the same startup
and desktop
settings as my Administrator account?

Thanks!









.

Relevant Pages

  • SP2 - Access Denied error when installing software
    ... we'll repair Windows and then install SP2. ... > Okay here's what I've found in the registry looking at the permissions in the ... So I added my account and "Users " groups. ... > By the way I did all this from safe mode under the "Administrator" account. ...
    (microsoft.public.games)
  • Re: XP Professional Adminstraor Account...?
    ... Logged onto domain from workstation as Administrator. ... users and gave the user administrative rights. ... Logged out and logged back in under the users account in which I ... Attempt to install program and the install will fail while copying ...
    (microsoft.public.windowsxp.security_admin)
  • Re: XP Professional Adminstraor Account...?
    ... Logged onto domain from workstation as Administrator. ... users and gave the user administrative rights. ... Logged out and logged back in under the users account in which I just ... Attempt to install program and the install will fail while copying ...
    (microsoft.public.windowsxp.security_admin)
  • Re: No idea what the Administrator password is and now it is askin
    ... Have a PC which had a load of virus's on it. ... If you have forgotten your password, if you have another user account ... normally hidden Administrator account. ... do for sure but the simplest solution might be to try a Repair Install ...
    (microsoft.public.windowsxp.general)
  • RE: No Exchange Full Administrators
    ... > install by running ForestPrep and DomainPrep from my DC. ... > domain administrator, so I know it isn't a permissions error. ... > decide to just uninstall Exchange, ... I had to run as an account with the Full Exchange ...
    (microsoft.public.exchange.setup)