R
Rahim CETINEL
Hello,
I think this is a right place to ask about the problem I face. Here is the
description:
I have a Windows 2000 Domain with 100 clients running Windows 2000
Professional as an OS and around 1000 users that uses the machines with
"roaming profiles" having 30 MB of storage at their account profiles, using
these 100 machines from time to time.
The profiles are put to server on a hidden share with name of user account
number which is actually the student number, and we are using the system tp
run for the labs. Client machines having around 5 GB of software installed
on them, having exactly the same configuration. They are part of the domain
and Active Directory. In local machines, I am using both NTFS permissions
and Group Policy to ensure the security of system. When users log on from
one of the Win2K pro client, their profile is downloaded from the server and
they start working. After finishing their job, they log off, casing the
client upload the profile to the server and delete its local copy.
Well, here is the problem. As most of you know, to run Visual Studio .NET in
a computer one should have necessary rights for certain directories, most of
them are placed under C:\WinNT\ and such. Normally, a user with "read and
execute" rights can run the software and work. From the tests and
experiences, I must give more rights to the normal users to let them debug
and compile their work in Visual Studio .NET, which is equal for
administrative rights. Since I cannot let normal users be in Domain Admins
group and let the system crash in 2nd day, I have found a solution. I
created a local account named progrunner in administrators groups in local
clients, and asked students to use that account with RUN AS property of
shortcuts. I have also enabled "Deny Log On locally" option for progrunner
account in local machines. But, the problem is, progrunner account can still
log on the local machine and operate as an administrator. This is a security
thread and cannot be allowed in normal cases, but to make sure that lab
works are done, I am letting it so.
Can you give me a better solution for the case?
Thanks in advance,
Rahim CETINEL
SysAdmin
ps: I can give detailed explanation about the system if you need.
I think this is a right place to ask about the problem I face. Here is the
description:
I have a Windows 2000 Domain with 100 clients running Windows 2000
Professional as an OS and around 1000 users that uses the machines with
"roaming profiles" having 30 MB of storage at their account profiles, using
these 100 machines from time to time.
The profiles are put to server on a hidden share with name of user account
number which is actually the student number, and we are using the system tp
run for the labs. Client machines having around 5 GB of software installed
on them, having exactly the same configuration. They are part of the domain
and Active Directory. In local machines, I am using both NTFS permissions
and Group Policy to ensure the security of system. When users log on from
one of the Win2K pro client, their profile is downloaded from the server and
they start working. After finishing their job, they log off, casing the
client upload the profile to the server and delete its local copy.
Well, here is the problem. As most of you know, to run Visual Studio .NET in
a computer one should have necessary rights for certain directories, most of
them are placed under C:\WinNT\ and such. Normally, a user with "read and
execute" rights can run the software and work. From the tests and
experiences, I must give more rights to the normal users to let them debug
and compile their work in Visual Studio .NET, which is equal for
administrative rights. Since I cannot let normal users be in Domain Admins
group and let the system crash in 2nd day, I have found a solution. I
created a local account named progrunner in administrators groups in local
clients, and asked students to use that account with RUN AS property of
shortcuts. I have also enabled "Deny Log On locally" option for progrunner
account in local machines. But, the problem is, progrunner account can still
log on the local machine and operate as an administrator. This is a security
thread and cannot be allowed in normal cases, but to make sure that lab
works are done, I am letting it so.
Can you give me a better solution for the case?
Thanks in advance,
Rahim CETINEL
SysAdmin
ps: I can give detailed explanation about the system if you need.