Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Bad planning is an administrative nightmare 1

Status
Not open for further replies.
ilusv

ilusv

Technical User
Dec 27, 2003
52
US
I am a newbie & I made a mistake.. .hopefully that will give some new people like me a heads up and of course I need your help on how to recover.

The issue:

1 Domain Controller with win 2k Adv. server
10 XP Clients W/ default domain policy ( which means restricted users)

Restricted user machines is what we wanted due to people installing all kind of funny software that caused a maintenance nightmare & lots of viruses.

So I was able to lock things down very well but the flip side is when you have programs like ACT, PageMaker and QuickBooks.. Each program needs something special configuration on each machine individually.

Take ACT for example; you have to set special Registry permission(s) in order for it to work properly under the restricted user account.. I had to do that on each machine physically.. (Took a lot of time)

PageMaker; in order work correctly I had to give the everyone group on the “Adobe” folder Full control, so it just turned out to be a hassle..

Why you guys suggest?

Should I switch the users to Standard users?
If I switch them, is there a group Policy that will prevent them from installing software?
What do you guys do? Is there a better work around?

Thanks in advance & sorry for the long post..
 
Sort by date Sort by votes
looks like you have discovered the nemesis to many an admin. Quickbooks to me is the worst program to support. It REALLY wants your users to be power users on their machines and Intuit is the worst in trying to get help with on this.

Some things you can do if you HAVE identified the changes that you need. You can create a custom security template with all of your custom security rights in it and then just import the template and configure the security database with that data. This will save you a lot of time. The hardest part is identifying the many keys that quickbooks and the other apps require. If you manage to identify allof the quickbooks keys, PLEASE PLEASE PELASE post them, I'm a consultant and have yet to have a customer willing to pay for the time to do this fully.

In your group policy, you can remove access to the Add/Remove programs applet but this is not a full solution.

Let me know if you don't know how to go about makeing the Security Template or how to import it.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
In order to get around the QuickBooks nightmare, I set up a designated QuickBooks machine & user. That One user called “QB” call login to that machine; that user “QB” has power user privileges….. I also locked down that machine using Group Policy; I also put user "QB" in his/her own OU.

This fix seemed to work in this environment (small company) but like you suggested this will be a nightmare in a good size environment; I will keep you posted if I ever find a fix or identify the QuickBooks keys

Is there a way to make the users; standard or power users using active directory, since the default is a “standard user” for the QuickBooks machine mentioned above I had to manually add the QB user, using the control panel > users and passwords > User Accounts.

Thank you so much for the detailed explanation mark; can you please give me some more info on making the Security Template & how to import it.
 
Upvote 0 Downvote
You can make your custom template by opening up MMC. Add a snap-in and choose to add the Security Templates. You will probably want to open up the standard SecureWS tempalte (secure workstation) and then do a SaveAs to make it your own name.


From within the template you can navigate down into registry settings and set whatever rights you want. When you are done, save the final template settings.

At this point you can move that template file to another PC. To configure the PC with the settigns in this template, open MMC, add the Security Configuratin and Analysis snap-in.

Follow the on screen instructions to make a new database and have it import your new template. When done right click Security Configuration and Analysis and choose Configure Computer Now.

If you are looking for a means of identifying all of the registry keys, you can use RegMon from Sysinternals.

As for your question on adding the users to the local Power Users, no you can't do that via GPO as far as I am aware. You should however do a search in the VBScript Forum for a script that adds user to the local admin group. This would do the job for you, just change the Adminstrators Group to Power Users.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark
 
Upvote 0 Downvote
Thanks a million Mark; that’s very helpful…. I will test that out soon..
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
1K
gbaughma
gbaughma
juniper911
  • Locked
  • Question
Smartcard PIN Cache - is it configurable?
Replies
0
Views
282
juniper911
juniper911
techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
826
araheusaff
araheusaff
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
678
mangentle
mangentle
jamescpp
  • Locked
  • Question
Adding an attribute to ADLDS
Replies
1
Views
389
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top