Re: Must all users be administrators?

From: Anna Clark (this)_at_verizon.net)
Date: 05/20/04 

Date: Wed, 19 May 2004 22:32:38 -0400

Hi Jeff:

As usual, you have supplied the most information... but I am still puzzled.
With these mostly young men, they don't understand why they can't do
"anything they want" with the company computer. Even if this problem with
the mortgage software (in this particular case) did not exist, there would
still be the problem of them demanding from computer un-savvy, to say the
least, management, that they be able to install what ever they want on the
company computer.

Add to this that there are 10 to 15 of these young people and only 4
computers, and you can see that what pleases user1 does not please user2,
etc. They all take turns, and some remember to log off, some don't. Sally
likes blue on green type, Fred likes green on blue.

I am not upset over this, it is a job of training the management and the
users. What I am upset about is the extensive use of the administrators
group on the local workstation. Unless the end user is an administrator,
he/she complains and management does not want to hear that. If the users
are complaining, the consultant MUST NOT BE doing his/her job. But if
EVERYONE is an administrator, each user is at the mercy of ALL of the others
to keep the apps, printers, etc. intact.

Not my idea of good housekeeping. To paraphrase Martha Stewart, "That's NOT
a good thing!"

As bad, if not worse, I think, is that just to install the SBS client and
all the software and user rights, the Administrator must visit every
workstation. Makes for a long, long day if there are 20 or 50 or 75
workstations joining the new SBS network. If one wants to share the load
with an employee of the organization one must make that person an
administrator before they really know anything at all. True, you could then
go back and change the password for the "asst_admin" if you wanted, but just
to get the workstation to join the domain requires admin status, and
therefore the disclosing of more than an untrained person should probably
know.

Anna

"Jeff Middleton [SBS-MVP]" <jeff@cfisolutions.com> wrote in message
news:OyqdBaePEHA.1036@TK2MSFTNGP09.phx.gbl...
> As was indicated by a couple of people in this thread, you find that
adding
> the users to Domain Admins solves the problem because when SBS configures
> the workstations joining the domain, it ensures that the Domain
> Administrators account is a member of Local Administrators on each
> workstation. Hence, making a user a member of Domain Admins has the impact
> of making them Local Adminstators at their own station. Make sense?
>
> So as was indicated, if you go to each machine and make Domain Users a
> member of Local Administrators, you have accomplished the same result at
> that workstation but, really you haven't done a good thing. Effectively,
you
> have established that every account in the domain is now a workstations
> administrator, and this is begging for troubles. Still, a lot of people do
> that.
>
> If you ran the SBS wizards to setup every user per workstation they use, I
> believe that SBS still makes that user a member of the Local Workstation
> Administrators. At that point, you have limited the power to a one to one
> relationship of the users at their own workstation, but that still isn't
> great, but it's better.
>
> Ideally, what you really want to do is solve the reason that the
application
> is causing this grief. That would be to determine if the application is
> requiring full permissions to a particular folder, or to a particular
> section of the registry on the workstation that normal users don't have
> permissions to control, just read permissions. If it's a folder, you can
> change the permissions to be "Domain Users: Full Control" and now you have
> really done a nice thing. Your users have full control over the specific
> folder the application in question is worried about, but you don't have to
> make your users members of Administrator anywhere. The same process
applies
> for registry locations, but it's a bit less obvious when this goes on.
>
>
> "Dave Nickason [SBS MVP]" <gwdibble@NOSPAM.frontiernet.net> wrote in
message
> news:%23judI$cPEHA.3044@TK2MSFTNGP10.phx.gbl...
> > What happens if you go into the security settings of the folder in
> question,
> > and give whatever permission Administrators have to Authenticated Users?
> > Theoretically, that would solve the problem.
> >
> > I ran into this with a program from the abstract company, where it
wanted
> to
> > write files to the workstations' root directory. I asked them to change
> > their program to write to a directory under Documents and Settings
rather
> > than give the users write permissions to the root directory. They were
> > willing to rewrite their program knowing that they were going to run
into
> > the issue on every default winxp workstation they installed it on.
> >
> > IMO giving all users admin rights is an invitation for a disaster.
You'll
> > have no control over what's installed on the workstations, including
> > spyware, downloaded trojans, kazaa, shareware, etc.
> >
> >
> > "Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
> > news:ePYPI%23bPEHA.2580@TK2MSFTNGP09.phx.gbl...
> > > Hello everyone:
> > >
> > > One of my sites has a problem. The are a mortgage broker company and
> use
> > > a
> > > software that requires that they save their loan applications to a
> folder
> > > on
> > > the local workstation.
> > >
> > > Unless their domain id is part of the local adminstrators group, they
> > > cannot
> > > save the file.
> > >
> > > Moreover, it seems to me that to make an end user any less than an
> > > administrator over the local system is just asking to make trip after
> trip
> > > to the site to give disgruntled users permissions to do this and that.
> > >
> > > How do others handle this problem, if it is a problem... or have I
> missed
> > > something basic.
> > >
> > > I take care of SBS W2K, and SBS 2K3 sites where the clients are XP Pro
> or
> > > W2K Pro and face this issue at all of them.
> > >
> > > Thanks for your input.
> > >
> > > Anna
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Folder Security
    ... Another possibility is to put another workstation in that location. ... in question from their own or other machines on the network. ... there a way to secure folder access by which machine is trying to access ... permissions apply only to network users. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Bizzare security behaviour
    ... NT4.0 workstation and all users that logon to any XP Pro workstation?? ... NT4.0 computer try accessing the share via the IP address of the server ... I can open the folder without difficulty. ... I thought the entire POINT of security permissions being on the server is ...
    (microsoft.public.windowsxp.security_admin)
  • Re: permission errors
    ... Is the workstation hard drive formatted FAT32? ... I am having strange problems with permissions for 1 user. ... Started when I wanted to make a backup of a folder on his workstation. ... Verify that you have full access to the working folder and there is disk ...
    (microsoft.public.windows.server.sbs)
  • Re: couldnt change the date on machine
    ... It is permissions on the workstation. ... i thought it might be to do with the user permission set on the server ... I haven't tried to change from power user to administrators. ...
    (microsoft.public.windows.server.sbs)
  • Re: Must all users be administrators?
    ... Administrators account is a member of Local Administrators on each ... that workstation but, really you haven't done a good thing. ... permissions to control, just read permissions. ... If it's a folder, you can ...
    (microsoft.public.windows.server.sbs)