Re: Which user group for user workstations ?
From: Dave Nickason [SBS MVP] (gwdibble_at_NOSPAM.frontiernet.net)
Date: 03/01/04
- Next message: Matt Trudewind[MSFT]: "RE: reply from distribution group"
- Previous message: Steve S: "here are steps on a network drive using security groups"
- Next in thread: Stuart Mackie [MCP, MSP]: "Re: Which user group for user workstations ?"
- Reply: Stuart Mackie [MCP, MSP]: "Re: Which user group for user workstations ?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 1 Mar 2004 11:30:56 -0500
You should experiment with this, because I'm not sure of the details. Power
users can't install most software - something to do with the inability to
write to certain registry keys, I'm pretty sure. My big worry is stuff
installed from the Internet, particularly cases where people just routinely
accept pop-ups without reading them. I don't restrict anything in
particular other than to make the users power users rather than admins, but
I do restrict everyone's ability to change anti-virus settings (my AV
program supports setting that at the server).
Administrators can do anything, including giving themselves permissions that
you've previously taken away. Administrators can also view files in other
users' profiles. Power users can't do any of that type of thing, although
they may be able to start and stop services.
"Stuart Mackie [MCP, MSP]" <me@--REMOVE_THIS--stu.uk.com> wrote in message
news:%23IrvJyW$DHA.2800@tk2msftngp13.phx.gbl...
> Hi, thanks for the advice. Other than making users Power Users for their
> own workstation, do you feel it necessary to make any other particularly
> important restrictions on their systems ?
>
> I should know this but are Power Users able to stop services ? Is there
> enough of a difference between a Power User and Administrator to make it
> significantly more secure ?
>
> Thanks,
> Stuart [MCP, MSP]
> www.stu.uk.com
>
> To reply via email, remove '-REMOVE-THIS-' from my address
>
>
> "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
message
> news:u9f9dxV$DHA.268@TK2MSFTNGP10.phx.gbl...
> > I set everyone to Power User. With more restrictive settings, I often
> find
> > that older programs don't work. I don't see the need for admin rights,
> and
> > I do see a lot of risk making users admins.
> >
> > For remote users, you may have to give the user an admin password if
they
> > need to be able to troubleshoot over the phone or anything like that.
I'd
> > make laptop users Power User. If they're in the office every day, I'd
> leave
> > it at that. Otherwise, you could create a separate local admin account
> and
> > give them the password, while making their primary profile the Power
User
> > account. There's still some risk, but you need to make them understand
> that
> > lack of admin rights is just a good practice, not a punishment.
> >
> >
> > "Stuart Mackie [MCP, MSP]" <me@--REMOVE_THIS--stu.uk.com> wrote in
message
> > news:ezuHjcV$DHA.3184@TK2MSFTNGP09.phx.gbl...
> > > Hi. At the minute we have a number of workstations and laptops on our
> > > network and in the past have given domain users Administrative
> privileges
> > on
> > > their own workstaion/laptop. Obviously in terms of security this
isn't
> > the
> > > best idea, but we're also concerned that basic user privileges may be
> too
> > > restrictive.
> > >
> > > I was just wondering what people felt was the best way of providing a
> > secure
> > > environment ?
> > >
> > > --
> > > Thanks,
> > > Stuart [MCP, MSP]
> > > www.stu.uk.com
> > >
> > > To reply via email, remove '-REMOVE-THIS-' from my address
> > >
> > >
> >
> >
>
>
- Next message: Matt Trudewind[MSFT]: "RE: reply from distribution group"
- Previous message: Steve S: "here are steps on a network drive using security groups"
- Next in thread: Stuart Mackie [MCP, MSP]: "Re: Which user group for user workstations ?"
- Reply: Stuart Mackie [MCP, MSP]: "Re: Which user group for user workstations ?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
