Re: Setting up policies for Windows 2003 clients
From: mattymatmat (mattymatmat_at_discussions.microsoft.com)
Date: 01/08/05
- Next message: wanderer: "Re: authentication too slow"
- Previous message: Pegasus \(MVP\): "Re: Multiboot Server - Is this possible?"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Setting up policies for Windows 2003 clients"
- Reply: Lanwench [MVP - Exchange]: "Re: Setting up policies for Windows 2003 clients"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 7 Jan 2005 16:33:03 -0800
"Lanwench [MVP - Exchange]" wrote:
> mattymatmat wrote:
> > Hi, I was wondering if any one could help me with setting up policies
> > on clients for my Windows 2003 Small Business Server. I want domain
> > users to have local administrative rights to their own computers they
> > use but not to each others local computers. For example if Person A
> > uses Computer 1 and Person B uses Computer 2, I'd like Person A to be
> > a domain user and a local admin for Computer 1 and Person B to be a
> > domina user as well as a local adming for Computer B. That way if
> > Person A logs on to Person B's computer they can't install software
> > or mess with anything other then their own profile folders. Is there
> > any easy way to do this besides going to everyones machine and adding
> > their domain account as local admin? I want to trust my users on the
> > network as they are mostly tech savy but would that freedom to only
> > extend to their computers for privacy reasons. If anyone knows how
> > to do this or might know a good book to look into that would be much
> > appreciated. Thanks in advance!
>
> You can add Domain Users group to the local Administrators group on each
> computer, or add Joe as a local admin on his local PC only via same method.
> Not sure how you can do the latter via policies....but since you have SBS it
> shouldn't be too much of a chore to do manually as you can't possibly have
> all that many computers. You can manage the client PCs remotely from the
> server console, go to the local users/groups, add who you like.
>
Thanks for the tip, I don't have that many users for now... but our company
is slowly growing, so in time we could grow. I didn't realize I could manage
each computer like that from my Active Directory Users and Computers. Very
nice :D
> <unsolicited $.02>
> That said - IF you really want to do this.
> I sure as ___ wouldn't, even with the smartest, kindest, gentlest users in
> the world. It's too easy for "standardized" company computers to become
> destandardized - and spyware/malware run rampant, viruses, etc.... Security
> is a multilayered approach and your network is far more likely to be
> compromised (or just run into general problems) from a user's desktop than
> from the Internet (presuming you have a decent firewall protecting your
> network). For what purpose would you want users installing their own
> software? This shouldn't be a regular occurence anyway.
> </unsolicited $.02>
You make a very good point... I have served in the trenches of IT support
for many years and I have seen the enemy. It is true that giving local admin
permissions to users could be very bad... but I guess I'd like to be a
benevolent administrator. Also most of the employees are decently computer
literate... which means most of them know enough to be dangerous hahaa. Its
a matter of discussion for my boss and I, but take relief that you may have
changed my mind.
> >
> > Aloha,
> >
> > Matthew Kurihara
>
- Next message: wanderer: "Re: authentication too slow"
- Previous message: Pegasus \(MVP\): "Re: Multiboot Server - Is this possible?"
- Next in thread: Lanwench [MVP - Exchange]: "Re: Setting up policies for Windows 2003 clients"
- Reply: Lanwench [MVP - Exchange]: "Re: Setting up policies for Windows 2003 clients"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
