General discussion


Locking Down Users - Knowledge Needed

By ·
When I accepted my current position as NT Systems Admin three years ago, I was extremely naive about the problems users can get themselves into; and, as most of the already-existing users had been given Administrative rights to their workstations, Ididn't attempt to change that policy.
Fast forward three years.
I just did an internal audit of the software installed on workstations in my company, and the results are apalling. After discussing it with my boss and the fellow responsible for desktop support and the helpdesk, I've decided that we've got to lock down all desktops and laptops.
I'd like to collect information from those of you who have had to do this before or who work in an environement where the users have always been locked down. What increased load can I expect for my helpdesk? Is there a good way to allow laptop users to install their own printers? How do you handle screensavers (can the users pick their own)? In short, tell me everything you know, either on this forum or via email. Looking forward to a lot of responses. Thanks.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

PhotoShop 5.5 problems

by alee100 In reply to Locking Down Users - Know ...

I work at an Engineering firm where a lot of the users use PhotoShop 5.5. If any of your users use it, expect problems unless they are local administrators. The problems we have seen run from printing to saving.
Good Luck

Collapse -

Me too

by rafaeldelcastillo In reply to PhotoShop 5.5 problems

I really feel your pain. I am the NT/MIS guy here at our shop. Almost 100 % of my users have never been stopped from doing anything. The sad part is that for a big part of them, I can't lock out their machines because they are engineers or techs that need to load industry specific software. There is no way that I can keep up with all their software upgrades and idiosyncrasies. What I have started to do is to lock down the task users first. I usually just make them users on their workstations, but I load cool screen savers and wall paper for them so they can play without them getting stuff that might be bad.

With the engineers, I've tried to get only a couple of them to do the installs, this limits the amount of people that can do damage.

I've also installed terminal/citirx for accounting and other database needs. I intend to enlarge that type of install for as many as possible. If a machine goes south because of software, they can still get their work done if it is on Terminal / citrix.

Don't count on anybody being virus sabby either. No matter what you tell them or warn them about, a few are still going to screw up. I put virus scanning before the email server so the emails get scanned before they even get to the email server. I load virus scanning on their workstations and on the servers. This is all part of locking things down.

It is not a fool proof plan, but is a plan.

me too in GRMICH

Collapse -

Locking down

by twhaight In reply to Locking Down Users - Know ...

If your users have Win 95, 98, or Me, there is no security. If you put on Windows NT workstation, then you can set them up with no admin rights. Then all they can change to their configuration is their desktop.

You woould have to give the Helpdesk staff access to this admin group in order to install software. They will have to do all installs, but it beats having to go back numerous times to fix a corrupted OS when the user downloads the latest beta software or that shareware program that contains a trojan horse that infects your entire network.

Collapse -

Desktop which is with Windows 2000

by dan.klemann In reply to Locking down

It is very easy to lockout user's with Win2k as a desktop. The local machine admin password is changed and the user does not know it. The user can operate as a power user which will allow software install (msi)but not drivers. A user can be given admin rights with suproxyclient or satscram the machine password and give it to the user.

Collapse -

Lock Down and Helpdesk

by jkelly In reply to Desktop which is with Wi ...

After you lock down your users, you will experience an immediate increase in helpdesk calls. Be prepared. The helpdesk staff must have detailed instructions on what they can and can not do for users. You will need support from your boss so there is no misunderstanding. We have policies in place for the laptop users, which they must sign before we issue the laptop. Since they are allowed to take the laptop out of the office, they have access to the hard drive when they are away from the network. The bottom line ... if they damage the OS configuration, we reimage the laptop to firm standard. We do not rebuild their non-standard applications and setups. You will need policies or guidelines BEFORE you start the lock down process. You will also need additional assistance on your helpdesk.

Collapse -


by elfer In reply to Desktop which is with Wi ...

We are migrating to W2k and are locking down all the PC's with help of the policy manager in W2K. It works great as long as you "test" your policy on a PC and make sure the workers can still do their job. The "key" to a successfull lockup in my opinion is to "disable" the ability to install software, PERIOD. That's where most problems arise. We allow each user to modify their desktop to a certain extend, but they have little rights other than running authorized software and we also take away (for most) the right to see the hardddisk, which forces them to save all their critical data to a network share, which makes backing up data very nice and easy. Supportcalls have gone DOWN since then. Life's good!

Collapse -

User Levels

by Wazzah In reply to Lock'em!

It is important to maintain Network standards and stop users "shooting themselves in the foot". My experience has been that there are only a few users in the company who actually know what they are doing on a computer outside of using their main piece of software. However, for groups where their development needs/skills are higher it is vital to grant administrative access. I work for a large Telco and certain groups of people who have sufficient skill sets are granted Administrative Passwords on the NT machines if applied for by their manager who also certifies that the users will pay the conqsequences of their actions if it corrupts the machine.
This system works wonderfully because you don't have the same users phoning every second day to have something changed, and their work is much more expedient.

Collapse -

Win NT Lockdown

by jstarrett In reply to Locking down

I work for a company that has approx 3000 Win NT machines. ALL users have User rights, that means they can change the desktop but not install anything that has an impact on the registry. We have added an administrative group on the PC that gives us local admin rights. We have very few issues with users adding things they shouldn't or updating the software from the internet because they don't have the rights.

Collapse -

Lock down

by Andrew.Brown In reply to Locking Down Users - Know ...

I work in an organisation with about 2000 Win95 machines. We have restricted access to many things such as Network Neighbourhood, System shortcut in Control Panel, Desktop background and screensaver for a few years now. Policy says that software anddrivers must be installed by a member of our IT Department, helps to keep an eye open for unlicensed software. We have avoided several things which have actually reduced our number of support calls. No viruses from downloaded screen savers, active desktops, etc. We had a lot of space taken on the servers storing downloads of screensavers etc which is no longer an issue. We get less calls because of users installing wrong drivers, messing with the System hardware setup etc. We are now considering making a few items of freeware/shareware available from our Intranet as downloads, such as Winzip because users seem to download and install them anyway, at least that way we can virus check the download first. So the word is LOCK DOWN THAT DESKTOPit will cut down on support calls and not increase them. By the way we use Poledit for the lockdown.

Collapse -


by parsonsac In reply to Locking Down Users - Know ...

To lock down or not to lock down that is the question. I must admit to reservations about being too strict in the locking down of NT desktops. Yes there is a great deal of merit in limiting the amount a user can do to change her desktop environment but remain however to be convinced that the solution lies physically limiting what a user can do.

The dynamic of a modern office is such that there is now a great deal of movement of users as the are replaced, promoted etc. This can place intolerable loads on already understaffed and busy support units and adds to lead times between fixes becoming unnacceptable.

It would be far better that the senior management of the company lay down strict policies on what a user may or may not do. I know it sounds mean but all users should be told that the installation of anything other than software authorised by the IT department is a disciplinary offence and WILL be enforced by senior management.

Any user who then installs unauthorised software and/or is caught messing in areas where they shouldnt should be left in no doubt whatsoever that they are in real danger of losing there employment

Related Discussions

Related Forums