Re: Permissions for users
- From: "Simon Morris" <newgroups@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 5 Apr 2005 16:20:42 +0100
This is a very interesting topic for me as I have a similar problem and am
currently trying to find the balance between security and producitivity. I
am also a first time installer of SBS so please excuse my inexperience.
As administrator, I recently installed a large commercial application on one
of my teams workstations who has standard user permissions, but the app will
not run when my user is logged in (it complains about administration
priveleges error). I explored similar processes to the OP, gradually
increasing his account permissions until the application would work, but
unfortunately only "Domain Admin" would suffice. This is obviously
undesirable as it gives my user access to restricted areas of the network.
In my situation, I am happy that my user can be trusted to administer his
machine locally, but I need to maintain control over his access rights on
the network, so is there some way that I set the users permissions to get
the best of both worlds?
Many thanks
Simon Morris
"Andrew M. Saucci, Jr." <spam-only@xxxxxxxxxxxxxxxx> wrote in message
news:eicjfEYOFHA.3380@xxxxxxxxxxxxxxxxxxxxxxx
> I have bad news. There is no single answer to this question. The
> answers vary depending upon exactly which program you need to install. The
> closest you can come to a single answer is to make every domain user
> account
> an administrator account on each workstation-- but that is like borrowing
> money on a credit card at 25% interest to buy groceries. The bill comes
> due
> later in the form of workstations infested with adware, spyware, trojans,
> viruses, and worms. You have to invest the time either now (by assigning
> appropriate permissions manually) or later (by adware/spyware cleanup and
> general loss of control over the workstations). I got sick of cleaning
> trash
> off workstations, so I now prefer to reserve administrator privileges for
> myself and set the permissions the way the installations should have set
> them in the first place. Go to www.sysinternals.com and grab yourself
> copies
> of RegMon and FileMon. These will be indispensible in troubleshooting
> flaky
> programs that don't run properly without administrator privileges.
>
> When the users complain, explain that running applications under
> an administrator account is like leaving one's car by the side of the road
> unlocked with the keys in the ignition. I believe that end-users will
> eventually demand security when they get sick of seeing people spending
> hours on end cleaning and repairing workstations-- just as the crank on
> the
> front of the car is rightly seen as antiquated today. Use some finesse and
> heap piles of sympathy on them, but stick to your guns. No local
> administrators. The bottom line is that the days of users installing
> applications are coming to an end, unless application vendors fix their
> programs so that a user running temporarily with an admininstrator account
> can install them and then switch back to ordinary user privileges with no
> trouble.
>
> "Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote in message
> news:ufIIE2sNFHA.3984@xxxxxxxxxxxxxxxxxxxxxxx
>> Using SBS 2003 in a WinXP LAN for a small (8 employee) non-profit. SBS
>> recently installed by vendor, so my skills are minimal but improving.
>> ====================
>> The staff has expressed a lot of frustration with their inability to
> install
>> programs. We'd had nothing more than a P2P network for the last 15
>> years.
>> Since I got SBS installed and ordered new computers for some of the
>> staff,
>> they've found that they can't install programs. I've boosted them from
> User
>> to Power User, thinking that would do the trick, but no-go. I made them
> all
>> Admins of their local machine only, thinking they can login to the
> machine,
>> install the program, add their domain account to the authorized users
>> list
>> in Properties, and that would let them use the program. Didn't work.
> Tried
>> copying over the shortcuts from the machine account to the domain account
> in
>> Documents and Settings - got an error that leads me to think there's a
>> problem with the registry and how it rel;ates the program to the person
>> logged in.
>>
>> The programs they want to install are all for their work and research.
> I'm
>> kinda stumped and am wary of experimenting with GPO's or permissions as I
>> don't want to unwittingly dig myself into a hole. I'm sure there's an
>> answer out there ..... comments? thoughts?
>>
>> --
>> Mike Webb
>> Platte River Whooping Crane Maintenance Trust, Inc.
>> a 501 (c)(3) organization
>>
>>
>
>
.
- Follow-Ups:
- Re: Permissions for users
- From: Simon Morris
- Re: Permissions for users
- References:
- Permissions for users
- From: Mike Webb
- Re: Permissions for users
- From: Andrew M. Saucci, Jr.
- Permissions for users
- Prev by Date: Re: SUS, Win2k3 SP1 and SBS
- Next by Date: Server Anti-virus
- Previous by thread: Re: Permissions for users
- Next by thread: Re: Permissions for users
- Index(es):
Relevant Pages
|
