Managing Rights and Permissions for Specific User Types

Previous page
Table of content
Next page

Managing Rights and Permissions for Specific User Types

Regardless of the best efforts of CEOs to create a corporate environment in which every company associate feels like an equal, system administrators know that special groups of users require special management considerations. It follows , therefore, that different strategies for managing user rights and permissions should be adopted to meet the special requirements that some users have. This section will explore some of these strategies as they apply to common user types found in every organization.

Managing Highly Managed Users

Highly managed users might be defined as users who have a very limited set of applications they must run on their workstation to perform their job function. These users typically have a lower level of computer skills than engineers and developers. As such, it is a best practice to limit these users so that it is difficult, if not impossible , for them to make configuration changes to the system that will cause it to work less efficiently or not at all. At the same time, you must be aware of any particular permissions that these users might require in order for their specific applications to run correctly in a limited environment.

BEST PRACTICE: Managing Highly Managed Users

  • Enforce roaming user profiles. This is especially applicable if the user does not have a specified workstation. This way, the user always logs on to the same desktop environment regardless of the workstation.

  • Limit NTFS permissions on the workstation to Read and Execute for this group and enable Folder Redirection. If the user is unable to write to the hard drive, there is less chance for files to be lost or corrupted. The user can still save files to specified server shares. Enabling Folder Redirection on the My Documents folder will save any files to the redirected server share.

  • Limit the icons on the desktop and items in the start folder. This can be done using profiles and group policies. Limiting what a user can click on in the desktop environment to job-specific applications will greatly reduce the possibility of configuration settings being changed inadvertently.

  • Prevent software installation. The software that the users require should already be present on the workstation.

  • Restrict Internet Explorer. Limiting what users can do, and more importantly where users can go, with an Internet browser will greatly improve the stability of the workstation.


Managing Mobile Users

Many companies have employees who either frequently travel or are located away from the typical office environment. These mobile users are unique because they usually log on to the company network through a portable computer from different locations over a slow-link dial-up modem connection. Though mobile users differ , both the slow-link connection and lack of local access should be used as the defining qualities for this type of network client.

BEST PRACTICE: Managing Mobile User Rights

Some best practices for managing mobile user rights and permissions include the following:

  • Enable users to log in with Power User rights. Because mobile users have less access to IT support, providing Power User membership for these users will enable them to satisfy many IT needs themselves . For example, the right to create local printers is granted to Power Users by default; this ability is important to the traveling user.

  • Enable software installation. It is often hard to distribute software to mobile users. Providing software on transportable media and elevating the user permissions to install software will keep the mobile computers up to date with software and patches. You can enable the Group Policy setting, Always Install with Elevated Privileges, to accomplish this task.

  • Grant more control over Network Connections. Because mobile users might need to change how they connect to the office depending on their location, enable access to modify network connections. Group policy settings for network connections can be found by navigating in the Group Policy Editor to User Configuration\Administrative Templates\Network\Network Connections.

  • Enable Backup and Restore privileges. If the mobile users are rarely at the office to sync up important files to the network, it is advisable to grant these users the capability to do full system backups and restores .


Managing Administrators for Flexibility and Security

In many companies, the administrators' workstations have no controls in place at all. The accounts the administrators use to log on to the network give them access to control every aspect of the workstation, as well as the servers. Because these accounts have so much power over the network, it is recommended that policies be in place to protect that power.

For More Information...

about managing delegating administration, see Chapter 4, "Distributing Administration."


The following list provides best practices for safeguarding the administrator account privileges:

  • Provide administrators with standard user accounts. Instead of allowing system administrators to log in with administrative access for day-to-day functions like checking e-mail and editing documentation, create an additional account that has standard security settings. This prevents administrators from making accidental systemwide configuration changes. This also prevents the account's elevated privileges from getting into the hands of malicious users.

  • Use the Run As feature. The Run As feature of Windows 2000 and Windows Server 2003 can be used from an administrator workstation or any network client to elevate privileges temporarily to perform administrative functions. For example, while logged in to a workstation with a user account that has standard user privileges, you can run Active Directory Users and Computers using the Run As command to execute the utility from an administrative account.

  • Use password-protected screensavers. Enforce password-protected screensavers with a short timeout interval on administrator workstations. This protects the workstation from malicious users taking advantage of the administrator's credentials should the administrator be temporarily away from the machine. This setting can be made either through the local policy of the administrator or through Group Policy. This particular setting is found by navigating to User Configuration\Administrative Templates\Control Panel\Display\Password Protect the Screen Saver.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
MySQL Stored Procedure Programming
Documenting Software Architectures: Views and Beyond
Java for RPG Programmers, 2nd Edition
Cisco CallManager Fundamentals (2nd Edition)
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy