I inherited a network consisting of 3 servers (2 Win2000 and 1 Win2003)and 55 desktops (a blend of Win2k Pro and XP Pro with a couple of Win98. Initially, the network was setup as 2 workgroups but then the Win2003 server was promoted to a DC and one of the Win2000 servers is a file server and the other is a FTP server. Before the DC, everybody had full rights to everything (full admin rights). Perhaps that’s why I’m here. My challenge is that my background is in Novel and NT, and not Win2003 and AD.
Everything is working pretty smooth but having everyone as Administrator gives me the cold chills. We are running some programs that don’t do well unless the users have admin rights, or are given full control, which is a pain to regulate and maintain. There is no uniformity between the systems regarding user accounts. When I look at the hard drives, some have “everyone” with limited control and others have full control. Some have “users” listed, same scenario. Or they may have the users name with full rights or any combination thereof.
I understand that “everyone” may have been set up when the desktop was joined to the domain and is supposed to have limited rights. In the case of it having full rights, can I return it to limited.
When a domain user is given admin rights on a local computer, what are the liabilities to the local computer? ,,, to the domain? (No one else is part of the administrators group on the DC)
What is the difference between t domain “user” and a Domain User?
I have a decent understanding of NDS but have a lot to learn about AD and GPO.
Right now, I just want to start locking the network down and have been reading anything I can get my hands on, but have a ways to go, so any help or suggestions you might have would be greatly appreciated.