Re: User Management
- From: "Mike Webb" <Mike_Webb@xxxxxxxxxxxxxxxxx>
- Date: Mon, 7 Jan 2008 15:08:58 -0600
You're right, of course. I'd better go grow a better spine.
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e9TupVVUIHA.5132@xxxxxxxxxxxxxxxxxxxxxxx
Mike Webb <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote:
Thanks for the thorough reply.
I through in the part about them being PhD's as (for me) they are a
differnet animal.
Heh - no kidding.
They are highly independent workers with certain
program needs for their work. It seems to be a 'pain' for them to
come get me so I can login to their machine, install the program,
give their account full access to it, and log off.
Well, you can certainly do that remotely, but yes, it's a pain. That's why
it should be infrequently needed.
It just got to be
easier to make them Admins of their own computer (only!). I'd like
to somehow bring 'em down a notch to protect the network and their
work.
There's no such thing as a "limited administrator," really.
Find out *exactly* what software they need. Have them email a list to
you - and your manager - and install it in one fell swoop. I can't imagine
they actually truly *need* new installation as often as they think they
do, or "immediately." Your end users shouldn't be dictating this sort of
thing....they should be telling you what they actually need so you can
provide the service efficiently.
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:e4YnYl9TIHA.5288@xxxxxxxxxxxxxxxxxxxxxxx
Mike Webb <Mike_Webb@xxxxxxxxxxxxxxxxx> wrote:
Running SBS 2003 Premium, WSUS, Exchange, ISA 2004, SQL, 2 NICs and
a router, fixed IP, Symantec C orp. AV 8.0, and Symantec Backup Exec
11d. =========================
I'm not really happy with the priveliges our users have on their
boxes. I don't know GPMC well,
Group policy is very good stuff for you to learn. GP = group policy.
GPMC - Group Policy Management Console, which makes it easier to edit
policies.
and the staff (most of whom are
PH.D.s)
Not sure what their advanced degrees have to do with this - I've met
plenty of computer illiterate doctoral candidates. :)
need to be able to install things for their work, etc.
Do they really? Why do they need to install anything regularly? This
is generally discouraged - users really shouldn't have admin rights.
Is
there some guidance or white paper on 'best practices' for locking
down users?
Hmmm ...not that I know of, but much depends on what you want to lock
down. Note that if someone has admin rights, there are many things
you can't control, no matter what.
I feel there must be as I can find so many great
step-by-step how-tos for justr about everything else in SBS.
GP isn't an SBS-specific thing....you might try subscribing to
microsoft.public.windows.group_policy and lurk therein to get some
ideas - but here's my list of minimal GPO settings. I normally
create several custom GPOs and link them at MyBusiness, generally.
* Disable computer browser service
* Force classic theme
* Force classic Start Menu
* Display logoff in the start menu
* Enable "Always wait for network at startup and logon"
* Startup scripts to add domain groups to local groups (see below)
* Shutdown script to delete IE temp files for all users
* Disabling offline file caching (my preference....but at least for
desktops)
* Folder redirection for My Documents, Desktop, and Application Data
(to subfolders of \\servername\users), disabling "grant user
exclusive rights" * Prevent user from changing My Documents path
That's the basic list. It works well. I do not use the Server
Management wizard/checkbox thingy for folder redirection.
I tend to set up AD groups called LocalAdmin, LocalPowerUser, to make
controling workstation permissions easier. You can also create one
for Remote Desktop access, too - in this case, RDaccess (SBS has
this built in). I don't use restricted groups (they're nice, but
often too restrictive). I set up a startup script as follows (batch
file) ........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users "DOMAIN\Web Workplace Users" /add
........
When I set up a new user, I often find I need to add their domain
account to LocalAdmin before I log in as them the first time to
customize their profile/install any sw that must be installed by the
user him/herself ...then remove them from the domain LocalAdmin
group on the domain when done. You can create/link a new GPO at the
appropriate OU where your computers live (if you haven't created
custom ones, you'll need to - unless you're using SBS, which creates
its own hierarchy). Edit the GPO - go to Computer Configuration \
Windows Settings \
Scripts (startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in
the window here
Exit/apply/ok/finish whatever
All the computers in this OU should have the startup script applied
when they restart, and you can now control all this at the server.
I still say users should be users, period, unless you need to install
something *as* the user or test something.
Many thanks in advance!
.
- Follow-Ups:
- Re: User Management
- From: Lanwench [MVP - Exchange]
- Re: User Management
- References:
- User Management
- From: Mike Webb
- Re: User Management
- From: Lanwench [MVP - Exchange]
- Re: User Management
- From: Mike Webb
- Re: User Management
- From: Lanwench [MVP - Exchange]
- User Management
- Prev by Date: Re: recycle bin corrupt
- Next by Date: Re: SBS SP2 but Win Update wants patch for SP1 but
- Previous by thread: Re: User Management
- Next by thread: Re: User Management
- Index(es):
Relevant Pages
|
