How to secure desktops in a windows domain without adding too much complexity to users?

I was wondering on a solution to keep data stored on desktops in a windows domain safe from theft.  If someone broke into an institution and stole some towers/hdd's how could one put in some safety measures to make sure password cracking software is not employed to harvest company data?  I was thinking of a hard drive password with a bios admin password on top of that.  The key is to not add a layer of complexity to the users in the domain (Windows Server 2003) that would cause undue distress.  Any ideas?
john6216Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

wfcraven12Commented:
Well I would start by making users store ALL company data on the company network & not their desktops.  If a hard drive were to crash then how would they get their data back?  
0
dinsjCommented:
Whole disk encryption, Such as symantec endpoint encryption or pgp encryption, once installed will work in the background without the users having to do anything.  very secure
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dexITCommented:
Scrap the local administrator account so that it cannot be reset using ERD, set a policy with domain admin group to have rights to all local machines, disable local user log on. I also agree with dinsj, I would look into some encryption practices to deploy.
0
conradjonesCommented:
as you already have a domain you should implement a file server, you could use your existing domain controller if you don't have too many users.

Create a share on your file server to house your user home directory then using active directory users and computers and assign each user a home directory.

Use group policy to restrict the users ability to see or write to the C drive.

Use group policy folder redirection to redirect the users "My Documents" to their home directory.

Implement a backup system to backup the users home directories.

This is 2 hours work, and once setup will be transparent to the user, their my documents will follow them whatever computer they login to. And if the server is locked away securely you don't have to worry about the desktop computers being comprised, unless they have a users password they cannot access company data.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.