|
#1
01-05-2006, 04:18 AM
|
|||
|
|||
Roaming Profiles & Their Local Security Permissions
I have 50 XP Pro PCs on a domain and have granted local administrator rights
to all users placing the Domain Users group inside the local Administrators group on each PC. This works fine but the weak link is that there seems no way to prevent users from looking inside the 'Documents and Settings' folder locally and viewing other peoples profiles & contents. Is there a straightforward way to achieve the goal of giving users free reign over their own PC yet keeping the local profiles restricted ? 
|
|
#2
01-05-2006, 04:18 AM
|
|||
|
|||
|
Re: Roaming Profiles & Their Local Security Permissions
In article <B3AC913F-D9E3-4907-9E14-59C6B55519EC@microsoft.com>, "=?Utf-
8?B?R3JhaGFtIEJyaXN0b3c=?=" <Graham Bristow@discussions.microsoft.com> says... > I have 50 XP Pro PCs on a domain and have granted local administrator rights > to all users placing the Domain Users group inside the local Administrators > group on each PC. BAD Move - don't do it. What technical reason could force you into that move? -- spam999free@rrohio.com remove 999 in order to email me
|
|
#3
01-05-2006, 04:18 AM
|
|||
|
|||
|
Re: Roaming Profiles & Their Local Security Permissions
Well, OK fiar enough , if you have 50 power users constantly requiring to
install/uninstall a plethora of programs ranging from SQL based access control software to mobile phone contact software etc etc etc on a daily basis and you don't want to employ extra staff and charge them 40k/annum+ (because they wouldn't pay it) for support, how would you best configure their workstations ? "Leythos" wrote: > In article <B3AC913F-D9E3-4907-9E14-59C6B55519EC@microsoft.com>, "=?Utf- > 8?B?R3JhaGFtIEJyaXN0b3c=?=" <Graham Bristow@discussions.microsoft.com> > says... > > I have 50 XP Pro PCs on a domain and have granted local administrator rights > > to all users placing the Domain Users group inside the local Administrators > > group on each PC. > > BAD Move - don't do it. What technical reason could force you into that > move? > > -- > > spam999free@rrohio.com > remove 999 in order to email me >
|
|
#4
01-05-2006, 04:18 AM
|
|||
|
|||
|
Re: Roaming Profiles & Their Local Security Permissions
In article <C0AEBD5B-721C-46EA-92FA-C447ACCADF3F@microsoft.com>,
GrahamBristow@discussions.microsoft.com says... > Well, OK fiar enough , if you have 50 power users constantly requiring to > install/uninstall a plethora of programs ranging from SQL based access > control software to mobile phone contact software etc etc etc on a daily > basis and you don't want to employ extra staff and charge them 40k/annum+ > (because they wouldn't pay it) for support, how would you best configure > their workstations ? There is little you can do except DELETE the roaming profile - which is a GP setting you can apply. It means it will take longer to load their login, but the profile should be deleted when they logout. For non-development type users the risk that they would corrupt/install something not permitted, or that they would violate licensing, that we never allow non-development type users local admin permission. If they want it, it has to be approved by a manager, and the manager has a login they can use (not their normal one) that the manager can install apps with. Local Admin is like being ROOT, you don't want to be it unless you have too. -- spam999free@rrohio.com remove 999 in order to email me
|
|
#5
01-05-2006, 04:18 AM
|
|||
|
|||
|
Re: Roaming Profiles & Their Local Security Permissions
Administrators are all powerful on the computer obviously. What you could do
is to allow and encourage users to encrypt their folders that they want to keep confidential. They can not encrypt their whole profile but they could encrypt My Documents, etc. Then you would want to enforce a Recovery Agent for the domain so that there is a way for users to have their EFS files accessed in case of a problem with reinstallation or corruption of their EFS private key. The other reason to enforce a domain RA is to prevent other local administrators from doing it locally to access a users EFS files as the local RA. If you are interested in EFS be sure to read the link below on best practices to get yourself started and it contains links to more info on EFS. Users would also need to be trained to backup their EFS certificate/private key to a password protected .pfx to external media for safe keeping. There could be situation such as if the user removed their computer from the domain and they has a problem with EFS they could lose permanent access to their files.--- Steve http://support.microsoft.com/default...b;EN-US;223316 "Graham Bristow" <Graham Bristow@discussions.microsoft.com> wrote in message news:B3AC913F-D9E3-4907-9E14-59C6B55519EC@microsoft.com... >I have 50 XP Pro PCs on a domain and have granted local administrator >rights > to all users placing the Domain Users group inside the local > Administrators > group on each PC. This works fine but the weak link is that there seems > no > way to prevent users from looking inside the 'Documents and Settings' > folder > locally and viewing other peoples profiles & contents. Is there a > straightforward way to achieve the goal of giving users free reign over > their > own PC yet keeping the local profiles restricted ?
|
 |
| Thread Tools | Search this Thread |
| Display Modes | |
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Re: Downloaded files don't install | Alias | Windows Update | 13 | 01-05-2006 05:05 PM |
| Can't Modify Local Security Setting - Windows XP SP 2 | theburnetts@yahoo.com | Windows XP Security Admin | 3 | 01-05-2006 05:39 AM |
| Roaming Profiles & Local Permissions | Michael | Windows XP Security Admin | 5 | 01-05-2006 04:21 AM |
| Long delay before Drives & Files appear in My Computer & Address Bar | shizzlenizzlator@gmail.com | Windows XP Help and Support | 3 | 01-05-2006 02:44 AM |
| System Restore | gmirek | Windows XP General | 6 | 01-05-2006 02:34 AM |
Linear Mode
