General discussion


Dening a dept a standard user logon

By SysAdminTech ·
Here's the scenario, I have a Generic user loggon account for over 500 users.My goal is to diable this account and setup everyone with there own personal log on account, but before I disable this generic acct I need setup every dept with their own personal log on therefore I have to approach eveyone by department. Now...the new user acct will have tight resrictions therefore, Icons will be missing on there desktop ect... once the department is complete with their personal logons, the goal is to prevent that department from using the generic logon again...The reason I can't disable the acct is to prevent over 500 users calling helpdesk due to logon problems.

Does anyone one out there know how I can denie a department from using the generic user account in a windows 2000 platform ?

Just for the record this network was inherited.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Use access controls on files

by stress junkie In reply to Dening a dept a standard ...

Once you have created a user account for everyone in a given department then you lock down that department's files with access controls.

You create a new file share that contains the department's files. You put domain log in requirements to connect to the file share. The 'guest' account cannot connect to the file share. Done.

Your bigger problem is not to alienate the user community. You should consider the customer relations issues involved. Nobody likes change. Nobody like security procedures. You should think about how to sell this new network configuration to the end users before you implement it. I have found that if most of the end users like you then they will go along with your ideas. Just don't surprise anyone. Let people know well in advance that this change is coming, when to expect it, and how it will not really get in the way of them doing their job.

Good luck.

Collapse -

Access control is not the issue

by SysAdminTech In reply to Use access controls on fi ...

The issues is dening the department from using a standard logon.(for example the accounting dept)

I just cant disable the logon acct, because if I do the help desk will be swamped with calls. Once the accounting dept has their own personal logon there's no need for them to go back to the standard logon.

Meanwhile all the other departments should have standard logon rights until I get around to their dept and set them up with their own personal logon.

Thanks for your responce.

Collapse -

Just inform them of the change..

by collins_rf In reply to Access control is not the ...

Set a timeline and a plan. The gist of which being a message stating than individual logon's will go into effect at date_1. This will begin a transitional period and allow for some time to acclimatize to the change. Give it 30 days, or suggest it and flex it for personnel that may not be present. This needs to be passed down through the chain of command so that section heads and supervisors can keep up with and query their personnel on the use of the logons. During the 30 day transition personnel can be allowed to move files to organized locations, if there is indeed a file access issue. Issue weekly notifications to the users indicating T minus X number of days until the generic logons are disabled. On the end date of the transition period issue a mail stating so. After that point if there are still some files floating then those files need to be stowed given a two week grace period can be allowed. The drop dead date is T plus two weeks. Any files not claimed are gone, the generic logon disabled can be eliminated, transition complete.

Collapse -

Hmmmmm Got me thinking here

by SysAdminTech In reply to Just inform them of the c ...

Your suggestion sound pretty impressive. I must put more mind to this and perhaps consider. the wheels are turning.

Thank you for your time and cooperation in this matter.

Collapse -

Access control is the means to the end

by stress junkie In reply to Access control is not the ...

If people in the department being transitioned away from the guest account need their new account to perform their work then they will use their new personal account. It doesn't matter if they log off of the guest account during lunch to surf the web. The guest account will eventually be eliminated. In the mean time they have to use their personal account to access the files and other resources that they need to do their job.

Technically this is a simple problem. Using the accounting department as an example you just do what I said in the first post. You choose a time to transition the accounting department. During normal hours you create the file shares that they will need. These file shares are empty. You create the accounts. Then you announce that you are ready to perform the transition. During off hours you move the accounting files to the new file shares created for the accounting department. The next business day you sit with the accounting department people and walk them through their first log on to their new account - one unique account per user. The accounting department is now done. It doesn't matter if they could still log on to the guest account. The guest account does not have access to the accounting department files. The fact that they must use their new account to perform their work is all that matters.

Don't overthink this. You don't have to deny access to the guest account. You just have to force them to use the new user accounts. Once everyone in the business has their own individual account you can disable the guest account.

Collapse -

This sounds much better

by SysAdminTech In reply to Access control is the mea ...

and your right this is a small issue, and Im not going to think it over. I will start implementing this stratergy at once. Time is running out !!!

Thank you for your time and comments. I will consider this.

Collapse -

Default User Profile

by VirtualGardener In reply to Dening a dept a standard ...

One way to keep the users happy with you would be to save the users profile as the Default User Profile for each machine. That way, when they log on with their new personal domain account, their computer still looks the same as it did using the generic ID. (Shortcuts, screen settings, etc...)

If you are planning to visit every machine anyway, you could do it then, otherwise you might look into using a script like this one posted on another Tech Republic discussion. You would need to change the script to point it at the generic account's profile instead of the "StandardUser" account he is using:

Script to replace Default User Profile
This script is bloody, but effective. It is included in a batch file I run after cloning.

::This script sets up a standard desktop to be a Standard Office image

::Here we delete the default profile
rd /s /q "C:\Documents and Settings\Default User"

::Here we set the default profile to be the Standard Office profile
xcopy /s /h /Y "C:\Documents and Settings\StandardUser" "C:\Documents and Settings\Default User\"

::End of script

Note: Microsoft has a patch for this, but has not released it. You must request it specifically. I haven't tested it myself, so I can't tell you if it works or not.

Original posting:**

Related Discussions

Related Forums