Solved

Co-worker security right setting

Posted on 2004-08-03
10
279 Views
Last Modified: 2013-12-04
Hi,

I am trying to find anwsers on setting up users rights in an windows 2000 domain.

Here is my problem:
I have 4 other co-workers that I work with.
Their job is setup new computers and to fix them if needed. I am the network admin.
all of the co-works know the domain admin password and they are in the domain admin user group.

What permission do I give the other co-worked.
How can I have more controll over there accounts but give them enuff of rights so that they can do there job?

We are running AD

4 co-worker jobs,
1 is a web desigher and exchange tech.
2 users are pc tech and they are asign to a single department.
1 user is a pc tech covers the rest of the departments

Thanks for your time.
Sidney
0
Comment
Question by:SidneyKi
  • 5
  • 5
10 Comments
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi there,

First you need to plan out exactly what you do and don't want your co-workers to be able to do. You can use many aspects of group policy to restrict or enable access based on user or machine accounts, but prior to implementing any policy you need to be extremely clear about the tasks that each of your workers needs to be able to do and then plan and research the appropriate policy settings. The last thing you or they need is a badly planned set of policies that may prevent then from being able to do their jobs.

Introduction to Windows 2000 Group Policy
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicyintro.asp

Hope this helps as starter

Deb :)

0
 

Author Comment

by:SidneyKi
Comment Utility
Thank you Deb.



I have looked at group policy befor. I have the toughest time grasping the group policy and tring to get them to work with our agency.



0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi Sidneyki,

Could you be more specific about the problems that you've had and what you want to do? We may be able to help a bit more

Deb :))
0
 

Author Comment

by:SidneyKi
Comment Utility
Hi Deb,

If I can only ask the right questions! lol

Just for start
1. how to plan out exactly what I do and don't want my co-workers to be able to do?
   "knowing the choice on what I can enable and disble"

2. So many aspects of group policy! which one do I chose?
    "how ways to do group policy"

3. How to be extremely clear about the tasks that each of your workers needs?
   "relates back to question one"

4. where can I plan and research the appropriate policy settings that is easy to read and under stand.
   "know how to take group policy and apply it to my agancy"

I'm sorry if I sound vahue. I am just plan dumb when it comes to group policy. lol


Thanks
Sidney
 
0
 

Author Comment

by:SidneyKi
Comment Utility
Hi Deb,

Here are some other questions.

5. What are the pro's and con's on doing group policy.

6. Is there other ways to do this?

7. How hard is it to troubleshoot when problems accure?

8. What kind of things does go wrong with group policy?

Thanks Again
Sidney
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 20

Accepted Solution

by:
Debsyl99 earned 250 total points
Comment Utility
Hi Sidney,

There's a stack of questions with many long answers!

1. how to plan out exactly what I do and don't want my co-workers to be able to do?
   "knowing the choice on what I can enable and disble" - First have a look at the default domain policy - attached to the main domain object through properties -group policy - edit in ad users and computers. Have a look there but DON'T change anything until you know what you're doing as this policy will affect everyone who logs on to the domain, even the admins. Also remember that "not configured" doesn't mean the same as disabled once you've enabled a policy. If you enable a policy then you have to disable it to turn it off - setting it back to not configured won't do it. If you change a policy without being clear you can lock the admin account out too - so be careful.

2. So many aspects of group policy! which one do I chose? - If you create an ou, then add a policy on it and edit you can check what you can apply policy-wise at the ou level. This will apply to all users and pc's that you add to that ou depending on what you enable. Make sure you look into the administrative templates too.
 

3. How to be extremely clear about the tasks that each of your workers needs?
   "relates back to question one"

4. where can I plan and research the appropriate policy settings that is easy to read and under stand.
   "know how to take group policy and apply it to my agancy"

The best way is to :
Read everything you can in relation to group policy, ask questions here but break them down into specific manageable chunks so the scope of the question isn't too broad. Then experiment with test users in a Test environment - not your live environment!!!! (Can't stress this enough). If you don't have a test environment checkout VMWare Workstation, this will allow you to set up a virtual network on a pc separate to your network that you can experiment with. Also don't forget local group policy - you can check out on the client pc (hopefully the virtual client pc) - variations between local and effective settings.


Here are some other questions.

5. What are the pro's and con's on doing group policy. - Being clear as to the implications of what a policy will and won't achieve - hence requiring a test environment. Also policies are only effective to a degree in some areas, ie not everything you'd like can be achieved through one or more policy settings. Sometimes you need to apply registry hacks as well to achieve what you want - sometimes you just can't do it.

6. Is there other ways to do this? - I'm pure windows 2000, so I can't really answer this. I would say no, not in the same way, but that doesn't mean you can't be creative in your approach.

7. How hard is it to troubleshoot when problems accure? - It can be very difficult if you don't document exactly what changes you've made, also you need to be careful with permissions are set for users so that they can access and apply policies - again test test test - if you get it wrong when you experiment you could potentially lock everyone out of the domain including yourself -0 big nightmare.

8. What kind of things does go wrong with group policy? Mostly not enough research, not being sure what you're doing and then trying it out on a live system. Read up on it, ask questions here, google for it, then test it - you can always rebuild a test system if the worst happens and the only person who suffers is you and at your leisure if you know what I mean.

I don't mean to scaremonger - I just hope I got my point across. Group policy and it's application is quite a vast topic and I've not covered a fraction of it or the issues here. It can be extremely useful and time-saving to apply changes and settings, logon scripts, startup scripts, registry changes etc via group policy - you just need to know what you're doing first.

Hope this is helpful,

Deb :))
0
 

Author Comment

by:SidneyKi
Comment Utility
Hi Deb,


The answers where great and very Insightful.
Thank you for taking the time to answer all those questions.


Thanks again
Sidney
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
You're welcome :))
0
 

Author Comment

by:SidneyKi
Comment Utility
Hi Deb,

I had one more question and it is more of oppion then a question.

What is a typical way that an IT department is structure
With employees security in mind.

Example:
Network Administrator has domain admin security full rights.
      Pc support person has not full right.
            Help desk person even less rights.

could you translate it in to Windows 2000 domain secuity and Active directory security.

Thanks
Sidney
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Again, there's no set rule as such and it would depend on the IT department. For example - my It department unfortunately just consists of me - Hence I have an Admin logon that gives me access to everything as I need it.

There are people at head office - ie two people who occasionally need to install software on the pc's up there. Hence - Their still only domain users for the domain, but their logon to the pc's allows for full admin rights on those pc's. They can install anything necessary on those pc's, but they still can't do anything with the domain.

Some people have the need to administer their own folders on the servers - hence they have more extensive rights over those folders than other people who perhaps only need read only access.

Our temp admin staff are in their own organisation unit with very restrictive settings - they're not full time staff so we need to restrict what they can do. ie they're restricted users on the pc, they're domain users because they need access to certain domain resources, but their ou policy prevents them from using the internet (they don't need to), rearranging various menus ie start, settings on the desktop, too many to mention.

You're first question is what does someone need to do - ie install applications locally - they'll need a logon with local admin rights to the machine. Do they need to run backups? Well then they'll need permissions and perhaps be members of the backup operators groups. The possibilities are massive, hence they need to be customised. If you don't have a test network, then as I said before - get yourself a beefy pc and install vmware workstation on it - you can run a virtual windows 2000 network on it and test as many group policies as you like without harming your network.

Hope this helps

Deb :))



0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now