General discussion

  • Creator
  • #2130737

    Criteria for Granting Permissions?


    by mbenner ·

    I am a consultant working on a long-term tech project for a small group. The small group (~150 people) has recently moved to Windows 2000 Active Server with primarily Windows 2000 clients. The 3 tech support people have locked us down so tight with security that it has become very difficult to work. No one but the 3 tech support staff has anything other than basic “user” rights on the network–no one has local administrator rights on their own computers. No one can create folders on the file server, nor share folders on their computers. The division managers have not been consulted about what permissions should be given to their staff or what data on the file servers must be secure and what should be shared. In my opinion, the tech staff has run amok, but I am curious as to what the climate is in other organizations.

    What criteria should be used to determine who has what kind of network administrative access? Who should have input in the design of the network organization (organizational units and domains)? What role should network administrators have in determining permissions in an organization? What role should division managers (2nd layer management) have?

    Can anyone direct me to articles or other pertinent sites that address this question?

All Comments

  • Author
    • #3569414

      Planned or Default?

      by nicknielsen ·

      In reply to Criteria for Granting Permissions?

      Was this a planned architecture or did your admins simply do a default install? It sounds like your desktop has the default user profile loaded.

      Anyway, this is my $.02:

      1. You should be allowed to create folders in your assigned space, bothlocally and on the network. The justification (to your admins) is simply that you need to divide your work by subject/content/file type/whatever and folders let you do that.

      2. Local admin on network PCs is a very difficult area to work in. Let’s face it, as a CSE, I am all in favor of locking down the desktop so tight that users might as well only have dumb terminals (makes my job easier, dontchaknow). As an end user, I want the freedom to configure my desktop and local machine the way I want it. The division managers need to get together with IT and determine exactly who needs what.

      3. I am not in favor of sharing files and printers on local machines. IME, the single biggest security hole in most networks is improperly configured Windows shares. In addition, a responsive IT department will create the network shares as required, with a minimum of fuss and bother.

      4. As a consultant, have you talked to your contract monitor/corporate contact about the situation? Pointing out (and justifying) productivity losses because of excessively restrictive network policies may open some eyes and achieve the results you desire.

Viewing 0 reply threads