Security Policy

[Tim Scott]

Currently all my users are in the Domain admins group for
a windows 2k server active directory enviroment. When I
remove them from the Domain Admins group the users are not
able to print, open files, and they lose their whole
profile. I have not set any security policy nor have a set
a group policy. Why is this happening? Obviously I need to
take them out of the domain admins group and only have
them in the domain users group.

 

[Marin Marinov]

Currently all my users are in the Domain admins group for
a windows 2k server active directory enviroment. When I
remove them from the Domain Admins group the users are not
able to print, open files, and they lose their whole
profile. I have not set any security policy nor have a set
a group policy. Why is this happening? Obviously I need to
take them out of the domain admins group and only have
them in the domain users group.

First, you have to establish a strategy for granting users access based
on groups. One of the most common is A G DL P: put (A)ccounts into (G)
lobal groups, put Global into Domain Local, and grant permissions to the
Domail Local group on the resources.

The reason users can't access resources is that they don't have the
necessary permissions. Domain Admins is granted extensive permissions by
default. Put them into meaningful groups and grant these groups
appropriate NTFS and Share permissions.

As for the profiles, are you using local or roaming profiles? The user
is always granted NTFS:FC on his profile regarless of group membership
so this shouldn't be a problem. What specific error do you get? "Lose
their profile" is quite general, what exactly do you mean by that?

HTH
--
Cheers,
Marin Marinov
MCT,MCSE 2003,MCSE:Security 2003
-
This posting is provided "AS IS" with no warranties, and confers no
rights.