General discussion

Locked

Locking Down Users - Knowledge Needed

By tom.day ·
When I accepted my current position as NT Systems Admin three years ago, I was extremely naive about the problems users can get themselves into; and, as most of the already-existing users had been given Administrative rights to their workstations, Ididn't attempt to change that policy.
Fast forward three years.
I just did an internal audit of the software installed on workstations in my company, and the results are apalling. After discussing it with my boss and the fellow responsible for desktop support and the helpdesk, I've decided that we've got to lock down all desktops and laptops.
I'd like to collect information from those of you who have had to do this before or who work in an environement where the users have always been locked down. What increased load can I expect for my helpdesk? Is there a good way to allow laptop users to install their own printers? How do you handle screensavers (can the users pick their own)? In short, tell me everything you know, either on this forum or via email. Looking forward to a lot of responses. Thanks.

This conversation is currently closed to new comments.

74 total posts (Page 3 of 8)   Prev   01 | 02 | 03 | 04 | 05   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

Don't have to be Netware for ZenWorks

by ged In reply to IF you use Netware...

First I want to to add a hearty endorsement to ZenWorks for locking down workstations. We don't use it to the extent I'd like but it's been a huge help.

Also there's the App management features of Zen (and Imaging added in V3. You can save a tremendous amount of time. We'd be sunk without it.

As for the netware issue, I believe you can now install Corporate NDS on a pure NT network and Run ZenWorks. Probably less expensive and can do more than SMS.

Collapse -

Don't have to be Netware for ZenWorks

by ged In reply to IF you use Netware...

First I want to to add a hearty endorsement to ZenWorks for locking down workstations. We don't use it to the extent I'd like but it's been a huge help.

Also there's the App management features of Zen (and Imaging added in V3. You can save a tremendous amount of time. We'd be sunk without it.

As for the netware issue, I believe you can now install Corporate NDS on a pure NT network and Run ZenWorks. Probably less expensive and can do more than SMS.

Collapse -

I thought as much...

by Packratt In reply to Don't have to be Netware ...

I wasn't sure about that since we are just now starting to research and test out the latest ZenWorks 3.0 and NDS for NT so I didn't want to commit to it being cross-platform or not with just NDS for NT running without Netware...

Thanks for clearing that up!

Collapse -

GO Lockdown!!!!

by Paradox 42 In reply to Locking Down Users - Know ...

i work at a school with +100 computers and many more students. we have locked down the computers and its very useful. with out it students would distroy our network. of course polices are stuped to use because of profiles (some profiles can get to+16MB) so we just stript the reg entrys from the templates and modified the registry at logon.
it truly amasing what you can do with the windows regestry. oh by the way we use win95/98 and maybe winME soon. GO Lockdown!!!

Collapse -

What about smart alec users?

by suzanne In reply to Locking Down Users - Know ...

Like you, I am looking at implementing a lock down on desktops at our organisation. I tried using .pol files on the NT server, but we have some users logging in from 2000km away and the overheads were too high. So I used Policy Editor and tied down the machines that way.
However!! I found a couple of smart alecs had realised I was using Policy Editor and used it to undo what I had done. I dropped them from a great height and let them know they were not to do it again, but it does emphasise thelimitations of Policy Editor. So now I need to find something else like ZAC maybe?

Collapse -

Locking down Desktop on w95/98

by winnythevaz In reply to What about smart alec use ...

Hi, There is a very good bit of software that
does just that, and that is WINSUITE. It saves all the hassle of Registry editing.

Collapse -

smart alec's should be unemployed

by F.McCourry In reply to What about smart alec use ...

Sounds harsh, but without the support of your superiors and the superiors of the problem users, there are NO policies nor software that will completely solve the problem. Make it understood that unauthorized use of company owned equipment will not be tolerated. Set the ground rules and then make sure that they are enforced.

Collapse -

several options to lockdown

by Dr Dij In reply to What about smart alec use ...

lockdown front ends mean you don't have to edit your registry, they do it. you can lock down everything from printer drivers, net config, and prevent dos mode or run command, even lockout safe mode. and you can install software simply by typing in password, unlocking it then lock back up when done. For $20 it means you DON'T need to tell users they can't do anything. The options to do them simply disappear, control panel simply missing from menu if you click this. Our one smart alec user couldn't defeat it. They now don't spend hours showing each other how to change screen savers. It can also restore icons to position they were at on bootup.

Collapse -

by ?ilhouette In reply to Locking Down Users - Know ...

I work in a very large financial institution and how they have got around this is as follows:

They have a standard core build of apps for every workstation wherever it is (there are 25,000 in 42 locations worldwide). These include NT4, SP5, Office 97, Winzip and other "everyday apps" screensaver is also included (marquee with "do not turn off") sort of thing.

Users have no admin rights on their machines unless they are developers or IT staff.

All other apps required that are not included in the core build, must be scripted and rigorously tested to make sure that they work properly with "core" drivers and OCX's (these cannot be overwritten), otherwise it cannot be used or must be piloted by the requestor for a long period of timeto ensure it doesn't break any other applications, before it is approved and can be rolled out - this can take up to 2 weeks if the app is a global app as any region who is distributing it must complete the full test cycle.

All software is distributed remotely by official request only, via SMS.

Laptop users use a similar build but tweaked for laptops. It is very expensive, time consuming to achieve and you need a version of this core build for every type of hardware that your machines have - so better to buy homogenous machines. At the end of the day though it works very well.

Collapse -

Lock 'em up for sure!

by Gonzo In reply to

At my organization we are nearly 100% NT 4.0 with NTFS partitions... and about two years ago we implimented a tight lockdown on our desktops and mobile workstations. Our users have "user rights" only, and we have hacked the registry so the user cannot delete any icons we give them, change the background or change the screen saver. User whining went up about 75% for a short period of time, our support calls dropped 75%, and machines reloaded because of users jacking around with unauthorized software dropped to zero. Win2k can be locked down in a very similar fashion. In my opinion, Win9x and WinME are administrative nightmares due to the lack of security.

Back to Software Forum
74 total posts (Page 3 of 8)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums