General discussion

Locked

Welcome to domain FUBAR

By puterfx ·
I inherited a network consisting of 3 servers (2 Win2000 and 1 Win2003)and 55 desktops (a blend of Win2k Pro and XP Pro with a couple of Win98. Initially, the network was setup as 2 workgroups but then the Win2003 server was promoted to a DC and one of the Win2000 servers is a file server and the other is a FTP server. Before the DC, everybody had full rights to everything (full admin rights). Perhaps that's why I'm here. My challenge is that my background is in Novel and NT, and not Win2003 and AD.

Everything is working pretty smooth but having everyone as Administrator gives me the cold chills. We are running some programs that don't do well unless the users have admin rights, or are given full control, which is a pain to regulate and maintain. There is no uniformity between the systems regarding user accounts. When I look at the hard drives, some have "everyone" with limited control and others have full control. Some have "users" listed, same scenario. Or they may have the users name with full rights or any combination thereof.

I understand that "everyone" may have been set up when the desktop was joined to the domain and is supposed to have limited rights. In the case of it having full rights, can I return it to limited.

When a domain user is given admin rights on a local computer, what are the liabilities to the local computer? ,,, to the domain? (No one else is part of the administrators group on the DC)

What is the difference between t domain "user" and a Domain User?

I have a decent understanding of NDS but have a lot to learn about AD and GPO.

Right now, I just want to start locking the network down and have been reading anything I can get my hands on, but have a ways to go, so any help or suggestions you might have would be greatly appreciated.

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by puterfx In reply to Welcome to domain FUBAR

When I took over, I had 2 situations on the workstations in the domain FUBAR.
1) The user had 2 profiles with local admin rights as either user(local) and user.FUBAR. Both were listed under Computer Management ? Local Users and Groups.
2) I replaced and reinstalled & reinstalled all the programs on 2 new hard drives that had failed. a)On one I went into the control panel ? users and added a user as a power user (under the domain), but not through MMC so no user.FUBAR showed up. I still had to go into a couple programs and give this profile full control to get them to work. b)On the other HDD, I just logged in as a user (under the domain) and tried running the programs. I still had some issues and noticed that ?everyone? had limited rights to the programs. When I gave ?everyone? full rights, they worked. If I reverted back to the limited rights and added ?users? to the program, I had more rights but still not enough, until I gave them either full control or modify.

Collapse -

by pierrejamme In reply to Welcome to domain FUBAR

As a Novell CNE myself who just had the Windows\Linux guy walk, I can have empathy for you.
I wouldn't worry about giving a user Admin rights to a computer. It is a personal computer and if they mess it up you know who to blame. it deosn't give them a lick of rights to the Domain.
Remember in Netware you had admin & equivalent as the only users who could damage a network if you did backups you can always get it back. (Especially in NSS.) clients with local administrator rights had no rights to the network the Admin or equivalent gave them.
sorry to say, but most windows programs run poorly or not at all if the user doesn't have administrator rights to that computer. So you might ask why have anything but adminiistrator? I'm still trying to figure that out.
Just be glad you don't have to try and figure out Debian Linux (command line only)too.

Collapse -

by CG IT In reply to Welcome to domain FUBAR

I'll add this in. The everyone group literally means everyone including the neighbors and their pet dog. you don't want to limit the everyone group in permissions on shared files and folders. What you want to do is create a security group for the shared folder or file and set permissions for that folder or file that you want. Then add users to the group. Keeping track of what user has what rights is just way to complicated. Keeping track of rights to a group is far easier.

Most people who setup a workgroup use the everyone group for sharing folders and files. Beats the heck out of trying to figure out how the permissions thing work. When in doubt or when one cant figure out why someone can't access a shared folder, use the everyone group.

Domain users have plain old user rights on the domain. admin rights on the local machine means they have admin rights when they log on to the local machine. They don't have admin rights to the domain.

domain user and Domain User? it's the capital letters. thats the difference. other than that they look the same to me.

I think if most of your users are in domain user security group, then they don't have a lot of rights on the domain. The most worrisome is the shared resources and files. That needs to be looked at, documented, and decided who gets what and how much can they do. Then make changes appropriately.

Last bit of advise. use security groups in assigning permissions. only grant necessary permission. Also permissions are cumulative with most restrictive applying. Don't use deny. That trumps everything.

Collapse -

by CG IT In reply to

ah forgot to add this in about the everyone group. when you create groups to collect users in and assign permissions, you remove the everyone group from the list of who can do what. Like I said, the everyone group literally means everyone. To keep those you don't want to have access out, you remove the everyone group. Only those in the group listed have permission.

When in doubt and everyone boos you in the hallway and throws paperwads at you, you can add the everyone group back in.

Collapse -

by curlergirl In reply to Welcome to domain FUBAR

Further on local vs. domain-level users and permissions. First, you need to understand, and from what you've said, I think you do, the difference between file system permissions and user permissions. The "Windows way" of assigning permissions in a domain is to create NO local accounts, except for the built-in ones, which is basically the local Administrator account and a few others. You then create a domain-level user account for each person and assign that domain-level account to the local security groups to allow access to the workstation by the domain users. Or, you can use domain-level groups and assign them local permissions also.

A word about groups. First of all, there are domain level groups and local groups. There is a domain Everyone group and a local Everyone group, and they mean different things. Permissions assigned to the domain Everyone group would be applied when connecting to resources on a domain controller while permissions assigned to the local Everyone group apply only to that particular workstation. This is basically true of all security groups - domain level groups permissions take effect when using resources on the DCs, or when using resources on the local workstation if the domain level group has been added to a local group.

By default every time you create a domain user account, it is automatically assigned membership in the Domain Users group (a default security group created when the domain is created) and in the domain Everyone group. This is probably what is meant if you see references to "Domain Users." You can of course also create your own security groups at both the domain and local level. By default in Windows 2000 the Everyone group is granted Full permissions to every domain-level shared resource you created. However, in Windows 2003, the Everyone group by default is only granted Read and Execute share permissions. And oh, BTW, share permissions are separate from NTFS File system permissions. But that's another

Collapse -

by curlergirl In reply to

I always try to keep the local user permissions to the Power User level if possible. As far as allowing users to have local Admin permissions, it's definitely not preferable but sometimes, due to 3rd party programs, unavoidable,as you've found out. The downside is that it does make more likely the possibility of infection by viruses, Trojans, worms, etc., on the local workstation and thereby on the entire domain. Hopefully, however, you have antivirus and antispyware/malware protection provided by software running on the workstations, anyway. If not, do that RIGHT AWAY!!!

Right now, what I would be inclined to do would be to go back to the workstation level and change the NTFS permissions on the local hard drives to:

Everyone - Read and Execute
Administrators - Full
Power Users - Modify

Then, wherever you can, put the Domain Users group in the Power Users group, rather than the Administrators group locally. Powers Users have the rights locally to do almost anything but (1) edit the H_Key_Local_Machine registry hive; or (2) install device drivers; or (3) act as part of the operating system (i.e., run services). So, there is some protection there as well if your 3rd party software will allow it. One of the things I've found most often with 3rd party software is that the reason it requires the user to have local Admin rights is that it writes user preferences to the HKLM (H_Key_Local_Machine) registry hive instead of the H_Key_Current_User (HKCU) hive. A trick I've found that works sometimes, if you can identify what exact registry keys the application needs to access, is to give the Power Users group Full Control permissions only to those portions of the HKLM registry hive, instead of putting the users in the local Administrators group.

Well, as you can see, if you asked me I could write a book. Don't ask...

Hope this helps!

Back to Networks Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums