General discussion

Locked

Question about users and permissions

By puterfx ·
I inherited a network consisting of 3 servers (2 Win2000 and 1 Win2003)and 55 desktops (a blend of Win2k Pro and XP Pro with a couple of Win98. Initially, the network was setup as 2 workgroups but then the Win2003 server was promoted to a DC and one of the Win2000 servers is a file server and the other is a FTP server. Before the DC, everybody had full rights to everything (full admin rights). Perhaps that's why I'm here. My challenge is that my background is in Novel and NT, and not Win2003 and AD.

Everything is working pretty smooth but having everyone as Administrator gives me the cold chills. We are running some programs that don't do well unless the users have admin rights, or are given full control, which is a pain to regulate and maintain. There is no uniformity between the systems regarding user accounts. When I look at the hard drives, some have "everyone" with limited control and others have full control. Some have "users" listed, same scenario. Or they may have the users name with full rights or any combination thereof.

I understand that "everyone" may have been set up when the desktop was joined to the domain and is supposed to have limited rights. In the case of it having full rights, can I return it to limited.

When a domain user is given admin rights on a local computer, what are the liabilities to the local computer? ,,, to the domain? (No one else is part of the administrators group on the DC)

What is the difference between t domain "user" and a Domain User?

I have a decent understanding of NDS but have a lot to learn about AD and GPO.

Right now, I just want to start locking the network down and have been reading anything I can get my hands on, but have a ways to go, so any help or suggestions you might have would be greatly appreciated.

This conversation is currently closed to new comments.

10 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

WOW What a MESS!!

by cmiller5400 In reply to Question about users and ...

My sympathies for inheriting this disaster. Now on to the show...

As far as the rights on the file system goes, you can use a security template to change those on each workstation. http://support.microsoft.com/kb/318711/en-us is a starting point.

Now to deal with the admin rights... If they are local admins on the machine it will not have any effect(or is that affect???) on the domain. They just have rights to that machine they are assigned to the administrators group on. The liabilities to the computer with admin rights are huge. They can preform ANY function on it. Go with power users and see if that helps with the programs that want admin rights. They have most administrative rights, but not all. Make sure that in AD that you and any other system administrators are the only ones in the domain administrators group. Have atleast one other account that is part of the domain admins group that you can use as a backup incase you loose your password and/or the domain admin password. (by the way that reminds me, you may want to rename that account to something less obvious and change the password in case the admin password on the workstations is the same as the domain one.)

Good luck and the book kit for the MCSE books is an awesome resource. I use it almost daily. http://www.books24x7.com is a good resource too. Their ITpro section awesome and includes the books I mentioned. The only downside is you can not print the material. It is online only. I think I saw on their site that it is about $460 per year for access to the ITPro section. It has a huge selection of books though.

Collapse -

Welcome to Domain FUBAR

by puterfx In reply to WOW What a MESS!!

When I took over, I had 2 situations on the workstations in the domain FUBAR.
1) The user had 2 profiles with local admin rights as either user(local) and user.FUBAR. Both were listed under Computer Management ? Local Users and Groups.
2) I replaced and reinstalled & reinstalled all the programs on 2 new hard drives that had failed. On one I went into the control panes ? users and added a user as a power user (under the domain), but not through MMC so no user.FUBAR showed up. I still had to go into a couple programs and give this profile full control to get them to work. On the other HDD, I just logged in as a user (under the domain) and tried running the programs. I still had some issues and noticed that ?everyone? had limited rights to the programs. When I gave ?everyone? full rights, they worked. If I reverted back to the limited rights and added ?users? to the program, I had more rights but still not enough, until I gave them either full control or modify.

There are only 2 people in the Domain Admin group, myself and a backup guy. I changed the Admin name and the password to something I had to write down to remember and stored that in an envelope at home and gave another copy to my GM. I don?t use that account but it?s available if I need it. I set up 2 other Admin accounts to work with.

Also, the server passwords are different that workstations.

So, it sounds like I?m on the right track. Thanks for sharing your wisdom. By the way, I couldn't get into the books24x7 site above but did get into M$ site.

Collapse -

Sorry about the link...

by cmiller5400 In reply to Welcome to Domain FUBAR

I have fixed it. I am happy with the s's on http's because most of the sites I use are secured. here is the link again http://www.books24x7.com

Collapse -

books online

by mindilator In reply to Sorry about the link...

go to www.pdfchm.com and register with the site. if you don't you will only be allowed to peruse the selection of books (huge) and be redirected to amazon to buy. if you register however you will be allowed to download a .pdf or .chm ebook. these you can print. hope this helps, i know there are tons of books on AD and win2k3 there.

Collapse -

nice site

by puterfx In reply to books online

but couldn't find where to download anything. Thanks anyway, they do have a great selection and decent prices.

Collapse -

do the right thing

by boaz20 In reply to Question about users and ...

Sorry mate, I don?t want to scare you, but its look like you are not qualified to be the System admin of such a network (more than 50 workstations)

I hope you understand that you have a huge responsible as the admin,
And I hope you will do the right thing.

Collapse -

Do the right thing???

by puterfx In reply to do the right thing

And what would that be? Should I run out and get my A+ and MCSE certifications? The clown before me had those plus a couple others ... unfortunately he didn't learn any common sense. I do have my Novel certs and A+ and actually have everything running pretty smooth, thank you very much. I just want to keep it that way. About 50% of my issues stem from user error or lack of understanding so I spend about half my time coaching the users on the finer points of using the software correctly and effeciently (how many IT folks do that?) And, I'm also responsible for the financial aspects of my department so that's another 20-25%. The rest of the time I devote to maintaining the network and doing research. but I do appreciate your concern, and don't worry, you didn't scare me. Besides, I do have a helper if that makes you feel any better.

Collapse -

The right thing

by NickNielsen In reply to Do the right thing???

in this case is to probably ignore him and to remember that Google is your friend.

I've saved myself much embarassment and many flames by Googling my specific questions. In some case, I've even found general information that helps improve my understanding of the system.

Collapse -

Don't Listen to Boaz

by MuddyWaters In reply to The right thing

I agree with Nick, ignore Boaz. I can tell by his language he is from the land of Nothing is Possible. The land of bullies where everything is a problem and its your fault. The whole nation suffers from an "inferiority" complex.

Just ignore him. You can do whatever you set your mind to and I agree with Nick. Google knows all!

Collapse -

A first thought

by sean In reply to Question about users and ...

Hi there,

You definitely have a dilema. My first action would be to create myself a test environment. A dedicated system that has all the required applications with a user/computer account in a test OU that you can change the policies on to make sure you dont break every one else.

One of the things you can do is create a Group that has Local Admin rights to desktops, this should allow them to run applications that require registry and other restricted access.

Once you have the GPO all worked out, then obviously you could migrate users/computers to the required OU's depending on their access requirements.

Good luck !!

Back to IT Employment Forum
10 total posts (Page 1 of 1)  

Related Discussions

Related Forums