Minimum security

[Aaron Neunz]

I have the domain users group set as local administrators on all of my win
2000 pro workstations. Are there any ramifications to this? Should I add
domain users to the power users group locally instead?

Also I am implementing roaming profiles and would like to have the tightest
security possible (ACL on the roaming profile share as well as local
computer security user/group configuration) without generating any security
related errors upon user logon.

Basically authenticated users have full access to the roaming profile share
and like I said domain users are local administrators. The roaming profiles
I am using right now are working fine. Just looking for some best practices
I guess.

Any KB articles or suggestions would be great,
Aaron

 

[Steven Umbach]

I have not used roaming profiles, but generally users have full control or at
least modify to their profile.

As far as all users being local administrators, that is not a good idea unless
you have a real reason to do such and if you have to do that I think you are
better of making individual users administrators on just their computers since
the way you have it right now any domain user can log onto any domain machine
and be an administrator. Usually users are made administrators because they can
not run applications as a regular user. Administrators however can create local
accounts and then disjoin computers from the domain or log on as a local
administrator to avoid Group Policy. They can also install software and
otherwise reconfigure the computer. Power users have a lot less power than an
administrator which would be preferable if users can not do their work as a
regular user. If the problem is running applications, there maybe solutions that
involve reconfiguring ntfs/registry permissions to allow the application to work
for regular users. Software publishers may be able to help or you may try to
track down permission problems yourself. -- Steve

 

[Lanwench [MVP - Exchange]]

I have the domain users group set as local administrators on all of
my win 2000 pro workstations. Are there any ramifications to this?
Should I add domain users to the power users group locally instead?

What do the users need to do? If you don't have software that irritatingly
requires local admin rights, make them regular users. Granting users local
admin rights can cause tons of problems (usually because the user doesn't
know what not to mess around with).

Also I am implementing roaming profiles and would like to have the
tightest security possible (ACL on the roaming profile share as well
as local computer security user/group configuration) without
generating any security related errors upon user logon.

For W2k and up, the users will need full control over their profile
directories, and either the user or the domain admin will need to be
"owner". You can take ownership as domain admin, reset the permissions as
you wish if you want to also be able to see the contents - just make sure
that the user account has full control as well as anything else you set. I
usually set the profiles folder up as a hidden share (profiles$) so it isn't
browsable by clients....

 

[Aaron Neunz]

very informative!! We have a visual fox pro app that seems to bomb off if
the users are not at least power users.

thanks fellas
"Lanwench [MVP - Exchange]"