my network was set up by a professional who has since had a nervous breakdown and gone awol. I am left to sort out the mess! He has set up our users as administrators and consequently they can see everything on the server. I don't know how to undo this-should I reset them all as power users, users or what? any ideas and idiots guides would be so very greatly appreciated!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
all users are administrators!
- Thread starter 060159
- Start date
Go to your ADUC and remove the users from the Administrators group. Check the security and share points on your server as well to make sure they're not wide open (i.e. Everyone group set to full rights, etc.)
Users on a network should minimally be Domain Users. They may also need to be members of various other groups depending up any special ACL's you have.
I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
Users on a network should minimally be Domain Users. They may also need to be members of various other groups depending up any special ACL's you have.
I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
- Thread starter
- #3
Actually, this would be a good time to hire someone who already knows how to do it--figure the cost of an expert versus the cost to your business of the server being compromised...
The odds are that anything you do right now could create more worries... but just in case:
[ol][li]make a full backup of the server and verify it.[/li][li]verify it again.[/li][/ol]
Then you have several problems:
[ol][li]userIDs are in wrong groups.[/li][li]users may have built critical work processes around administrator rights.[/li][li]you have to fix it but don't know exactly where.[/li][li]you know there are probably a dozen or more issues left undiscussed.[/li][/ol]
But there are a few "easy" solutions that might help a little (if these sound too difficult, hire a local computer consultant):
[ol][li]Download and install the Microsoft Baseline Security Analyzer (available free from a number of sites and CDs)[/li][li]Run it and start following it's advice. One item at a time. Making backups and verifying nothing broke between each change.[/li][li]Download the Belarc Advisor to let you know what software and patches you have on your system and whether they're correctly installed (as a supplement to the MBSA which requires a certain amount of fiddling).[/li][li]You can always come back here with more questions.[/li][/ol]
JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."
The odds are that anything you do right now could create more worries... but just in case:
[ol][li]make a full backup of the server and verify it.[/li][li]verify it again.[/li][/ol]
Then you have several problems:
[ol][li]userIDs are in wrong groups.[/li][li]users may have built critical work processes around administrator rights.[/li][li]you have to fix it but don't know exactly where.[/li][li]you know there are probably a dozen or more issues left undiscussed.[/li][/ol]
But there are a few "easy" solutions that might help a little (if these sound too difficult, hire a local computer consultant):
[ol][li]Download and install the Microsoft Baseline Security Analyzer (available free from a number of sites and CDs)[/li][li]Run it and start following it's advice. One item at a time. Making backups and verifying nothing broke between each change.[/li][li]Download the Belarc Advisor to let you know what software and patches you have on your system and whether they're correctly installed (as a supplement to the MBSA which requires a certain amount of fiddling).[/li][li]You can always come back here with more questions.[/li][/ol]
JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."
Click Start, Programs, Administrative Tools, Active Directory Users and Computers.
Expand your Domain. Look in the users container. You shoudl see a listing for Administrators. It will have an icon with two heads. Double click it. Click the tab labeled Members. Select all the ID's you don't want to be members and hit the Remove button.
For your files, right click a folder and choose Properties. Click the Security tab and check what level rights your users have and adjust accordingly. Your users probably just need Read, Write and Modify.
Click the Sharing tab and check out the share permissions. Adjust as needed.
Share permissions and NTFS security permissions combine witht he most restrictive rights taking precedence.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
Expand your Domain. Look in the users container. You shoudl see a listing for Administrators. It will have an icon with two heads. Double click it. Click the tab labeled Members. Select all the ID's you don't want to be members and hit the Remove button.
For your files, right click a folder and choose Properties. Click the Security tab and check what level rights your users have and adjust accordingly. Your users probably just need Read, Write and Modify.
Click the Sharing tab and check out the share permissions. Adjust as needed.
Share permissions and NTFS security permissions combine witht he most restrictive rights taking precedence.
I hope you find this post helpful. Please let me know if it was.
Regards,
Mark
Mark,
If you read the postings that 060159 has been making, he doesn't know how to make a group.
I think it might be wiser to let him hire someone to move the users than to diable his company's server and possibly lose sales...
YMMV.
JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."
If you read the postings that 060159 has been making, he doesn't know how to make a group.
I think it might be wiser to let him hire someone to move the users than to diable his company's server and possibly lose sales...
YMMV.
JTB
Have Certs, Will Travel
"A knight without armour in a [cyber] land."
- Thread starter
- #7
jtb-thanks for your help and I have hired a firm to come in and sort out the mess, but they cannot come for about a month!!!!! I think I might play and create a new group with users and see what happens-unless you tell me that's a bad idea. Oh,and by the way, 060159 is a she, not a he!
GlenJohnson
MIS
If you don't feel comfortable, hire someone. The time and sleep you save will be worth the money. Good luck.
Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin check out Tek-Tips in Chicago, Illinois Forum.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin check out Tek-Tips in Chicago, Illinois Forum.
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
Technet microsoft
Windows 2000 Step-by-Step Guides
How it Works in Windows 2000
Windows 2000 Professional How-to Resources
Windows 2000 Server How-to Resources
Microsoft Solutions for Management
FAQ for Windows
Windows 2000 Active Directory
Windows 2000 Step-by-Step Guides
How it Works in Windows 2000
Windows 2000 Professional How-to Resources
Windows 2000 Server How-to Resources
Microsoft Solutions for Management
FAQ for Windows
Windows 2000 Active Directory
I sugggest that 060159 spend $30 of the company funds and purchase a book on windows 2000 server. I suggest one geared for the 70-215 test by microsoft (you'll see the number on the book). It will take a few days to read, but will give her the information needed to work with the company server and not mess it up. It will contain detailed steps on working with groups in active directory. It will also contain valuable information about other services provided by the server.
If the company doesn't want to spend the money, all the information needed to administer a server is already located on the server. You go to the start button and select "HELP". The information is very detailed and will take longer to go through than a good book, but it does contain everything you need to know.
And why should the company agree to this? Easy. Once you learn it, you become a valuable asset to them. You will also be able to get things done quicker than the month you mentioned to get someone else there.
If the company doesn't want to spend the money, all the information needed to administer a server is already located on the server. You go to the start button and select "HELP". The information is very detailed and will take longer to go through than a good book, but it does contain everything you need to know.
And why should the company agree to this? Easy. Once you learn it, you become a valuable asset to them. You will also be able to get things done quicker than the month you mentioned to get someone else there.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
