General discussion

Locked

Security Profile W2K: >Power User &lt

By Martin Glueckmann ·
We are about to roll out W2K (engl) on a global base to several thousand workstations.
Our Servers will stay on NT4 so we will not use Active Dir etc at this time.

Especially our home office based Laptop users
will need a more 'open' security approach, as
the have to be able to install printers, etc.
The question is:
Can anybody recommend the security profile settings we should use for those users.
We clearly don't want to make anybody Admin
on their local machines, but the Power UserGroup security is still to restrictive.
I would appreciate to get an E x c e l list showing which options need to be checked for a 'Super Power User Group' that can:
Install Printers
Install i.e. missing parts of MSOffice from
the standard distribution share on Network
Update Virusscan files
but
NOT install games, crap, you know what...
(maybe allowing ONLY installs from a dedicated network share, to secure the base installation)...
NOT be able to change pre-set directory schemes (stay within My Documents)...

Many thanks for a quick reply.

Martin.Glueckmann@Monsanto.com
IT Mgr Germany

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Security Profile W2K: >Power User &lt

by sdbytnar In reply to Security Profile W2K: >Po ...

You'll want to look at global policies most likely. An Excel spreadsheet listing the available settings is available at

http://138.87.87.6/sdbytna/4-horsemen/Windows2000/Docs/Change%20and%20Configuration%20Management%20Deployment%20Guide/Group%20Policy%20Settings.xls

Sean

Collapse -

Security Profile W2K: >Power User &lt

by Martin Glueckmann In reply to Security Profile W2K: &gt ...

The answer was pointing to an empty Excel sheet with all possible security options, but it did not help in the main part of the question: Which are the options to be set/withdraw from users to allow described functionality.
Martin Glueckmann

Collapse -

Security Profile W2K: >Power User &lt

by Curacao_Dejavu In reply to Security Profile W2K: >Po ...

re:We clearly don't want to make anybody Admin
on their local machines, but the Power User Group security is still to restrictive
answer: higher than power user but lower than administrator,not possible. Thats why MS made the groups.The only option that may work is that 1. create a account 2 on the local policy rights give that account the right to do what you want. problem :1 will be a lot of work on 1 computer, 2 will be impossible to duplicate accurate on the amount that of laptops that you have.
By bypaasing the group made by MS you are going to give your helpdesk a lot og work since the owners of the laptop may change hardware and software configurations and provide inadvertenly problems on the laptop.

regarding installation issue.
it's simple you give them rights to install or you don't give them rights.
the msi file doesn't work the way you described (point of installation doesn't matter.
you can asign homefolder to the users and make that their default folder but you can not make that only option. (unless in the whole my computer you restrict access to the c and d and a drive , but you dont want to do that.


as you can see you will have to choose between power users and administrators.
regards,

Leopold

Collapse -

Security Profile W2K: >Power User &lt

by Martin Glueckmann In reply to Security Profile W2K: &gt ...

Thanks for your answer.
Unfortunately it seems I am asking somewhat 'impossible'. But I am convinced that there is something between Black and White. Just following the MS pre-set group policy is not the desired solution...
best regards,
Martin

Collapse -

Security Profile W2K: >Power User &lt

by istal In reply to Security Profile W2K: >Po ...

Your questinon is not specific enough. The answer you want is specific for one machine only, another machine will expect onother answer.


All best.

Collapse -

Security Profile W2K: >Power User &lt

by Martin Glueckmann In reply to Security Profile W2K: &gt ...

Sorry, I don't think the problem is bound to specific machines. In a huge organisation there should be some kinds of standards. Sometimes they might be restrictive for some users but preventing them from 'scrambling' their PCs, should not only ease their lives but also those of our help-desk. Anyhow those PCs are company property, if someone wants to put games, etc on they should by a 'personal' computer.
best regards,
Martin

Collapse -

Security Profile W2K: >Power User &lt

by estebandelatorre In reply to Security Profile W2K: >Po ...

Hi Martin, my answer will not be a standar one but may be an outstanding solution, which may require more setup than expected for your laptops.
The highest secure rights level will be USER, so why not use it?
How to dare with printers?
Method 1.-Install locally as many printers as you may need. This will let users to print when out of the network.
Method 2.- When users in the net: Set all printers under the prinserver method. This will allow the user to have the drivers locally instaled once having at least print permissions.
Method 3.- look at the bottom
How to dare with shares?
Use the redirection folders optin in windows 2k, which allows you to set as the only place to save documents, the c:\my documents and REDIRECT it to a network share drive or user home directory.
How to Dare with piracy software?
Since the user has local uers right, he will not be able to modify th registry, change any ddl under the system sub dir, etc, etc,
How To dare with an app which needs to change the registry?
Change the users permissions (under the regedit.exe editor) to the key which the user is trying to change. This might be a never end story unless you have your application well documented!
How to dare with auto instaled applications and missing parts.
Set up an InteliMirror server in your network.This is included in w2k, and will let you make "images" of aplications that you may associate to users. Once the user have access to the new intelliMirror aplication, the aplication will get auto-instaled (this runs with a service account)
and will fix any damaged part of any aplications.

Hope it Helps!!!

Collapse -

Security Profile W2K: >Power User &lt

by Martin Glueckmann In reply to Security Profile W2K: &gt ...

Thanks for your Input!
Especially the IntelliMirror approach is solving the issue of keeping SW installs by users to a minimum and takes away the necessarity to give them
more access rights as usually needed.
Martin

Collapse -

Security Profile W2K: >Power User &lt

by hypersoniq MCSE In reply to Security Profile W2K: >Po ...

Not getting enough info about the business model from the question.
Based on info given, I would guess there are several offices...Create these as OUs (Organizational Units), you can enforce group policy, specific to each OU, if needed.
For the printers, I would guess that each office would have a manager, assign the managers to the built in "PRINT OPERATORS" group (this is a Domain-Local group giving the members the ability to set up and manage printers on domain controllers)
Don't forget about using Windows Installer for the software updates, you can do that centrally and then be assured nothing goes into the system that you don't want there.
The home based users will be printing to their local printers anyway, anything you need to administer there can be dealt with in the Routing and Remote Access Console. You can give the laptop users Roaming User Profiles.
Creating a Super Power Users group may just give away more authority than you intended.

Collapse -

Security Profile W2K: >Power User &lt

by Martin Glueckmann In reply to Security Profile W2K: &gt ...

Thanks for your Input.
The OU approach is not yet feasible for us (as Servers stay on NT4 without Active Directory structures).
I will try to concatenate my solutions from all others plus your input and try to tackle the problem with that insights.
Martin

Back to Windows Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums