Re: How do you all manage employee workstations? Looking for sugge
- From: "Gregg Hill" <bogus@xxxxxxxxxxx>
- Date: Fri, 3 Mar 2006 15:11:38 -0800
QB on TS will work. Go to Vera's site at http://ts.veranoest.net/ and start
reading (a lot!). I just used her procedure to get QB Pro 2005 to work via
TS with nothing more than Domain User accounts.
Gregg Hill
"Andrew Vital" <AndrewVital@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2A5A5B76-1E77-47FE-96FD-50F0DDA6CBF7@xxxxxxxxxxxxxxxx
Thanks for that info, and yes QB is one of those damn progies that plagues
me
too.
Regarding the "Restricted Groups" feature, i'm afraid i'm not sure what
that
is.
Do you mean by adding a groups say "QB Users", "Standard Users", and
"Power
Users" for the domain to the local machine's SAM and then make only those
users needed members of those domain groups, and since those domain groups
are in the local machine's sam any user logging into that machine will
have
the access.
If this is so, is there anyway to have domain groups added automatically
with GP or something, as if i were to implement this strategy i'd have to
go
around to all the workstations and add these groups - and if i ever
created a
new grouping i'd have to add that to every machine.
Or am I way off base here? lol
I'm still wet behind the ears with thsi network administration stuff,
though
i've come along way since i started here in June i still have a lot to
learn
- this forum has been a life saver though!
Thanks for any input.
- Andy
"Jeff Vandervoort" wrote:
Yes, that's what I mean.
BTW, there are also more efficient ways to handle granting membership in
Administrators or Power Users than adding individual user (or group)
accounts to each computer's SAM. Use the "Restricted Groups" feature. If
you
find you still have to give some or all users elevated permissions, it
will
save you a lot of time.
And definitely restrict it to the users who actually need those
permissions.
For example, if QuickBooks requires elevated permissions (and, alas, it
still does to this day!) but you only have 2 QuickBooks users, make them
members of a "QuickBooks Users" group in the domain, then make that group
a
member of Power Users via the Restricted Groups feature. Don't do it for
the
whole company.
But no program truly "requires" admin permissions. If a developer or ISV
tells you that, it's because they're too lazy or careless to discover and
document what needs modify permissions. (And if the software was properly
written, that wouldn't even be necessary...but I digress.) Press them for
details...sometimes you'll get an answer. And other times they'll scratch
their heads and say "Hunh? What's a permission? You have my permission to
run the program." won't have a clue what you're talking about. But as
posted
elsewhere in this thread, it's sometimes possible to find the specific
files, folders & registry keys to which modify permissions are required
using RegMon and FileMon. Once you do, you can set those permissions
granularly through Group Policy so you never have to touch a workstation.
And you can restrict it to computers on which the software is installed
because you can create security groups whose members are computers (for
example, "QuickBooks Computers"). (QuickBooks is not a good example,
because
it requires Full Control on HKCR. Once you've granted that, you've given
away the keys to the kingdom anyway...might as well run as a Power User
and
be done with it.)
--
Jeff Vandervoort
JRVsystems
"Andrew Vital" <AndrewVital@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E5A0BE97-796A-4B20-8D68-E285B376FA17@xxxxxxxxxxxxxxxx
Jeff, a questio about this comment
"Make your users members of ComputerName\Users and NOT
ComputerName\Power
Users or ComputerName\Administrators and you will seldom, if ever, have
a
machine "go South" unless it's caused by hardware"
When i setup a workstation I go to users in control pannel and enter
the
username and the domain, then select administrator. Making them an
administrator on the local machine. This is how it was done before I
got
to
the company (started here last year) though the 1 program they needed
these
permissions is no longer used so i'll test runing users on standard
user
permissions.
Is this what you mean by computername\users?
- Thanks,
Andy
"Jeff Vandervoort" wrote:
I can't imagine managing 10 PCs under these conditions, let alone 70!
Best
practices--
1. Do not allow users to save data to C:. Ever. On pain of death. Give
them
a deadline to move data to the server after which you use Group Policy
to
hide drive C:. This requires a lot of political finesse and/or buy-in
from
the boss, but it's essential. To sell it, they need to understand that
their
data is MORE secure on the server. Use NTFS to its fullest potential
to
make
that happen. And if you're backing up data on workstations, stop,
because
it's making you what the shrinks call an "enabler".
2. Purchase a volume license for Office and stop buying PCs with OEM
Office.
Office installed with a volume license (via Group Policy...hands-free)
does
not require activation or any of your time. Will likely be more
expensive,
but cost-benefit analysis will likely show it's worth it.
3. Enable roaming profiles and folder redirection. This will capture
Favorites and everything else of interest. Especially since you will
no
longer allow users to save to C:. Users will be able to log on to
their
computer or any other available computer and see exactly the same
thing
they'd see on their own.
4. Make your users members of ComputerName\Users and NOT
ComputerName\Power
Users or ComputerName\Administrators and you will seldom, if ever,
have a
machine "go South" unless it's caused by hardware. If you have
permissions
issues (you won't with Office, but maybe you run something else
written
to
prehistoric standards, like AutoCAD, for example) that keep users from
running an app, try to track down the problem and hack registry and/or
file
permissions until it runs. Methodology for doing this is far beyond
the
amount of time I'm willing to devote on speculation that this is an
issue
for you, but post specific questions again in support boards for the
software in question, or do a web/usenet search, and you may find an
answer.
Good luck!
--
Jeff Vandervoort
JRVsystems
"Andrew Vital" <AndrewVital@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:13D77723-0CB2-4D3A-83A1-DB8F640A92C4@xxxxxxxxxxxxxxxx
I've got about 70 workstations i'm responsible for - Mix of XP and
2k
on a
Domain with SBS2003. I'm looking for a way to minimize downtime (and
work
for
me). Now when a computer goes south I usually backup their data (if
the
user
isn't saving files to their network drive) & Favorites, swap it out
with a
loaner box (an older machine) and wipe / reinstall windows, install
office,
call microsoft to activate Office and someimes windows as it's
already
been
activated and sometimes wont' activate via net - then install any
other
software - restore their data & favorites and swap it back out to
their
desk.
needless to say this is a PITA - nevermind if you have 1 or more to
do
at
once. (and it seems as when one person's OS starts acting up others
have
to
actup at the same time to give me more work).
I've contemplated Symantec Ghost, but know i'd have to setup a
sysprep
file
and i'd still have to call microsoft to activate office and perhaps
windows.
Also i'd have to keep images specific to machine types as some will
need
to
have drivers configured for them.
I could go on... but are there any proven methods of doing this?
Thanks for any and all suggestions.
Andy
.
- References:
- Re: How do you all manage employee workstations? Looking for sugge
- From: Andrew Vital
- Re: How do you all manage employee workstations? Looking for sugge
- From: Andrew Vital
- Re: How do you all manage employee workstations? Looking for sugge
- Prev by Date: Remote access
- Next by Date: Re: Using SBS 2003 as DHCP server and a segragate network
- Previous by thread: Re: How do you all manage employee workstations? Looking for sugge
- Next by thread: IMAP4 Server - interesting phanomen
- Index(es):
Relevant Pages
|
Loading
