Re: Minimum security

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 02/17/04

• Next message: Steven Umbach: "Re: virus"
• Previous message: Eedo: "Re: virus"
• In reply to: Aaron Neunz: "Minimum security"
• Next in thread: Aaron Neunz: "Re: Minimum security"
• Reply: Aaron Neunz: "Re: Minimum security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 16 Feb 2004 22:52:36 -0500

Aaron Neunz wrote:
> I have the domain users group set as local administrators on all of
> my win 2000 pro workstations. Are there any ramifications to this?
> Should I add domain users to the power users group locally instead?

What do the users need to do? If you don't have software that irritatingly
requires local admin rights, make them regular users. Granting users local
admin rights can cause tons of problems (usually because the user doesn't
know what not to mess around with).
>
> Also I am implementing roaming profiles and would like to have the
> tightest security possible (ACL on the roaming profile share as well
> as local computer security user/group configuration) without
> generating any security related errors upon user logon.

For W2k and up, the users will need full control over their profile
directories, and either the user or the domain admin will need to be
"owner". You can take ownership as domain admin, reset the permissions as
you wish if you want to also be able to see the contents - just make sure
that the user account has full control as well as anything else you set. I
usually set the profiles folder up as a hidden share (profiles$) so it isn't
browsable by clients....

>
> Basically authenticated users have full access to the roaming profile
> share and like I said domain users are local administrators. The
> roaming profiles I am using right now are working fine. Just looking
> for some best practices I guess.
>
> Any KB articles or suggestions would be great,
> Aaron

---

• Next message: Steven Umbach: "Re: virus"
• Previous message: Eedo: "Re: virus"
• In reply to: Aaron Neunz: "Minimum security"
• Next in thread: Aaron Neunz: "Re: Minimum security"
• Reply: Aaron Neunz: "Re: Minimum security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Minimum security ... I have not used roaming profiles, but generally users have full control or at ... As far as all users being local administrators, that is not a good idea unless ... > I have the domain users group set as local administrators on all of my win ... (microsoft.public.win2000.security) Re: Roaming user ? Roaming profiles ? ... roaming profiles can achieve this for you. ... yes you can add "Domain Users" to the local admin group of the client PCs ... > My SBS server is a Win 2K SBS. ... > As far as I can see, a domain user has to have an account created on an XP ... (microsoft.public.windows.server.sbs) Re: Minimum security ... >> Should I add domain users to the power users group locally instead? ... >> share and like I said domain users are local administrators. ... >> roaming profiles I am using right now are working fine. ... (microsoft.public.win2000.security) Re: user permission to local drive & roaming profiles ... I've recently swithced to roaming profiles. ... > permission at the client ... ... Is Domain Users a member of Users on the local workstation? ... Are you using folder redirection for My Documents (at the very least - also ... (microsoft.public.windowsxp.security_admin) Minimum security ... I have the domain users group set as local administrators on all of my win ... Also I am implementing roaming profiles and would like to have the tightest ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)