We leave everyone except IT staff as a standard user. We've found that all
Non-w2k complaint apps that require special permissions can be made to work
by setting appropriate ACL entries on files/registry.
We deploy these ACL entries and changes via startup scripts in Group Policy.
We also repackage all software using WinInstall LE so that it can be
deployed using Group Policy. We also use roaming profiles and folder
redirection / synchronization for My Documents.
All that sounds like a lot of work to set up, and it was, but it's actually
been well worth it: all of our uses can now log into any machine and have
all their files, applications, and settings available. If they need software
installed, well, they have to go through IT, but we *want* them to do that.
No more Aimster, crash-on-launch screensavers, Comet Cursor, etc. crashing
down our machines and slowing our network.
Of course, we had to get a lot of management buy-in for this, since some
users would feel 'limited' by not being able to install their own software.
But it has enabled us trim our helpdesk down to one person, and we know we
are 100% legal when it comes to software licensing.
-ryan-
-----Original Message-----
From: Martin Blackstone [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 9:36 PM
To: MSWinNT Discussions
Subject: RE: W2K users
Because Mgrs or higher are more qualified to handle their PC? Make em all
admins, or make em all power users.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of MacDonald, Bruce
(VAN_Exchange)
Sent: Monday, September 24, 2001 7:12 PM
To: MSWinNT Discussions
Subject: RE: W2K users
We are just re-visiting that issue.
Here is what we have so far decided, but this is not written stone as yet.
1. Domain admins are separate logins.
2. Local machine administrator will consist of: Domain Admins, IT staff,
Principal user if manager or above. 3. If principal user is not mgr, dept
head or director, principal user will be power user. 3. everyone else is a
user.
Also, we intend to user the "Log On Locally" right, and grant it only to a
group containing the members of the department to which the computer belong.
"Log on from network" will be granted to administrator and power user local
groups only.
Guest accounts are disabled.
Should help contain nimda like share exploits.
I have one for you -- How do I programmatically set the "User must change
password at next logon" box?
Reason:
We also want to set password lifetimes of 30 days for some users, 60 for
others. Domain policy is one-size-fits-all.
Cheers,
Bruce MacDonald
Manager, Information Technology
Pacific Newspaper Group (Kennedy Heights)
(604) 605-7269 ph
(604) 605-7239 fax
[EMAIL PROTECTED]
-----Original Message-----
From: /dev/null [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 24, 2001 15:08
To: MSWinNT Discussions
Subject: W2K users
I'd like to hear some of the policies that y'all have for determining who
gets "User", "Power User", and "Admin" groups.
Is Power User rarely used? Or do you use it on just about everyone?
/dev/null
email: [EMAIL PROTECTED]
web: www.BeginThread.com/dev.null
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
------
You are subscribed as [EMAIL PROTECTED]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
------
You are subscribed as [email protected]
Archives: http://www.swynk.com/sitesearch/search.asp
To unsubscribe send a blank email to [EMAIL PROTECTED]
