Re: Which local user accounts?
From: Timothy Morris (tim_at_online.kingswoodhouse.e7even.com)
Date: 12/20/04
- Next message: Vic Russell: "Monitoring VPN access to SBS2003"
- Previous message: JohReini: "deploy office 2003 in a sbs2003"
- In reply to: Merv Porter [SBS-MVP]: "Re: Which local user accounts?"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Dec 2004 18:28:14 -0000
As few people tend to respond when they've been given or found a solution I
thought I would. This is what I ended up doing:
1. Gave "Domain Users" the same security rights to the Program Files folder
as local "power users" (for poorly designed apps that save items in the
Program Files folder rather than under Documents & Settings.
2. Gave Domain Users Full Control over the following registry key and
subkeys HKLM\SOFTWARE\Microsoft\Windows\Current Version\Controls Folder
Left the user accounts as they were before. It is a brand new Vaio S2XP so
it automatically hibernates when you close the lid. There should be no need
for her to log in and/or out during the whole 10 day trip.
I use VirusScan Enterprise edition deployed and configured using ePolicy
Orchestrator, so if and when she does find a wireless access point and
connect to the Internet then VSE will fallback to the McAfee ftp server and
update the virus definitions automatically. It automatically scans when idle
once a day, and on access, and I have spybot SD installed which again runs
daily in automatic mode.
I've already set up RPC over HTTP and tested it so I think I've got
everything covered.
I spent a lot of time looking at various "sub-notebooks" before shelling
out, looking at Fujitsu, Toshiba as well as Sony, and came up with a
shortlist of two, either an S2XP or T1XP, both Vaios. While the T1 is
significantly lighter the S2 has a full pitch keyboard, which is really
essential for touch typing, and appeared to be much better value for money.
I liked it so much I bought 2! Great for accessing the domain via VPN, and
when bored the graphics are good enough to run Half Life 2
Tim
Tim
"Merv Porter [SBS-MVP]" <mwport@no_spam_hotmail.com> wrote in message
news:ugEcjGj5EHA.2016@TK2MSFTNGP15.phx.gbl...
> Tim:
>
> Maybe consider the following...
>
> Set up the laptop for the domain. Then image it to an external USB drive
> using something like Ghost 2003. Make sure the virus defs are up-to-date.
> Then change her password on the server and set it to never expire/user
> can't
> change so she can't log into the domain with the laptop from that point
> (and
> don't tell her what the new password is).
>
> Now do what Susan suggested and create a local account for her on the
> laptop
> with administrator privileges so she can do whatever she needs to on the
> road. (Maybe show her how to set up OL Express so she can send email &
> pictures home and get virus def updates if she plugs into an ISP in
> Europe).
> Reset the laptop to a static IP in the same range as your router. (I
> assuming you have 2 NICs in your SBS so the router is outside your SBS
> network).
>
> When she returns, plug her into the router, manually update her virus defs
> and do an AV scan of her computer (and maybe a spyware scan too). Now
> that
> you have a reasonably clean machine, take any of the files she's created
> on
> the trip and copy them to a CD or USB pen drive. Then restore the
> original
> domain image to the laptop and reinstate her domain account password
> settings at the server.
>
> --
> Merv Porter [SBS MVP]
> ===================================
>
> "Timothy Morris" <tim@online.kingswoodhouse.e7even.com> wrote in message
> news:e5BLzxi5EHA.1264@TK2MSFTNGP12.phx.gbl...
>> As I explained in my first post she doesn't have a local account, just a
>> domain account. There's no way I'm giving any user Admin rights anywhere
> in
>> the chain!
>>
>> I can't imagine her having to log off the whole time she's away.
>>
>> Tim
>> "Susan Bradley, CPA aka Ebitz SBS Rocks [MVP] " <sbradcpa@pacbell.net>
> wrote
>> in message news:esZiTNf5EHA.4008@TK2MSFTNGP15.phx.gbl...
>> > On her computer, log in as the admin, control panel, users, flip that
> user
>> > to "administrator"
>> >
>> > If she'll be off the domain for a long time I think I'd not make her a
>> > domain user as you might run out of the "cached credentials" before she
>> > logs back into the domain.
>> >
>> > Timothy Morris wrote:
>> >
>> >> I run a small network (it is actually in a domestic house, but there
> are
>> >> a total of 8 client PCs, 2 of them remote. For simplicity reasons I
> don't
>> >> actually set up local user accounts on each of the machines, I just
>> >> set
>> >> up all users as "mobile users" on the domain, which gives them he
>> >> equivalent of XP's "Restricted User" in terms of privileges on the
> client
>> >> machines.
>> >>
>> >> I'm just setting up a notebook for my niece and obviously she is going
> to
>> >> have to adjust things like power policies when she is travelling.
> Should
>> >> I use what used to be called secpol.msc to grant the privileges
> required
>> >> to all <domain name>\Domain Users group. The last thing I want is for
> her
>> >> to come back from Switzerland with the machine full of crap that she's
>> >> downloaded from the Internet, but at the same time I don't want her
>> >> enjoyment of what is a fantastic Notebook (Sony S2XP). Prompt answers
>> >> appreciated as I'm running out of time!
>> >>
>> >> Tim
>>
>>
>
>
- Next message: Vic Russell: "Monitoring VPN access to SBS2003"
- Previous message: JohReini: "deploy office 2003 in a sbs2003"
- In reply to: Merv Porter [SBS-MVP]: "Re: Which local user accounts?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
