Roaming Profiles & Their Local Security Permissions

[Guest]

I have 50 XP Pro PCs on a domain and have granted local administrator rights
to all users placing the Domain Users group inside the local Administrators
group on each PC. This works fine but the weak link is that there seems no
way to prevent users from looking inside the 'Documents and Settings' folder
locally and viewing other peoples profiles & contents. Is there a
straightforward way to achieve the goal of giving users free reign over their
own PC yet keeping the local profiles restricted ?

 

[Leythos]

I have 50 XP Pro PCs on a domain and have granted local administrator rights
to all users placing the Domain Users group inside the local Administrators
group on each PC.

BAD Move - don't do it. What technical reason could force you into that
move?

 

[Guest]

Well, OK fiar enough , if you have 50 power users constantly requiring to
install/uninstall a plethora of programs ranging from SQL based access
control software to mobile phone contact software etc etc etc on a daily
basis and you don't want to employ extra staff and charge them 40k/annum+
(because they wouldn't pay it) for support, how would you best configure
their workstations ?

 

[Leythos]

Well, OK fiar enough , if you have 50 power users constantly requiring to
install/uninstall a plethora of programs ranging from SQL based access
control software to mobile phone contact software etc etc etc on a daily
basis and you don't want to employ extra staff and charge them 40k/annum+
(because they wouldn't pay it) for support, how would you best configure
their workstations ?

There is little you can do except DELETE the roaming profile - which is
a GP setting you can apply. It means it will take longer to load their
login, but the profile should be deleted when they logout.

For non-development type users the risk that they would corrupt/install
something not permitted, or that they would violate licensing, that we
never allow non-development type users local admin permission. If they
want it, it has to be approved by a manager, and the manager has a login
they can use (not their normal one) that the manager can install apps
with.

Local Admin is like being ROOT, you don't want to be it unless you have
too.

 

[Steven L Umbach]

Administrators are all powerful on the computer obviously. What you could do
is to allow and encourage users to encrypt their folders that they want to
keep confidential. They can not encrypt their whole profile but they could
encrypt My Documents, etc. Then you would want to enforce a Recovery Agent
for the domain so that there is a way for users to have their EFS files
accessed in case of a problem with reinstallation or corruption of their EFS
private key. The other reason to enforce a domain RA is to prevent other
local administrators from doing it locally to access a users EFS files as
the local RA. If you are interested in EFS be sure to read the link below on
best practices to get yourself started and it contains links to more info on
EFS. Users would also need to be trained to backup their EFS
certificate/private key to a password protected .pfx to external media for
safe keeping. There could be situation such as if the user removed their
computer from the domain and they has a problem with EFS they could lose
permanent access to their files.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316