NTFS Permissions on Local Machine under Domain Account

[spelk]

I'm hoping someone can explain whats happening, or advise on the best practice here..

We are migrating a number of PC's to a Windows Network, and previously software has been installed under the Administrators account of these Windows XP machines. Users files were also saved under the Admin account.

After joining the PC to a Domain, and the user logs into the Network, there seems to be some permissions issues with not only software but also file access.

What I don't understand is when the machine is added to the domain, what determines the areas that the user can access and write to on the local machine?

Is this controlled via Group Policy? Or do I have to assign NTFS access to the software and users files manually?

Some software autoupdates, like Thunderbird/Firefox, do I have to add extra access to the software's directory to enable a Domain account to perform these updates without having to send IT staff to them to "Run As" with Administrator privelages?

This is going to be a big concern if whilst 'locking' these machines down with Domain accounts, we're going to hit many access and software updating problems.

I think I'm uncertain as to how adding a machine (which has always run under admin privelages) to a Domain, and having users log in under Domain accounts affects their abilities to work with files on their hard drive, and how it affects software updates.

Do Admins have to tweak these access permissions on a group basis, or at the software level?

Any help would be very much appreciated.

 

[Dinkytoy]

Essentially it's all NTFS permsions.

From my experience it's a complete nightmare dealing with restricted permissions and software. I used to work in a company where Auto CAD was deployed out to a group of users, when I tidied up and removed local admin privs I found that CAD wanted permisions on certain c:\windows\ folders and some registry areas.

Imo too few software companies prepare their software to work with minimum windows permisions and managing it is a nightmare for sys admins.

Fortunately I've moved on and now in a small company where giving local admin privs isn't an issue, in fact it's required for 90% of users due to the nature of the their work so I don't need to worry about it.

 

[ACooperman]

Get a test PC with everything on it. Create a test user who is the lowest of the low permissions wise (dont give it anything except logon rights). Launch every application as this user and find out what you need to run.

Group policy those permissions to either all users or the users that need that access.

Or add the users that need it to the power users group. I sometimes find power users is a little too unrestricted for my uses but it is all situational.

In some environments (call centers) it pays to have fine tuned permission levels that give the users exactly what they need to work and nothing more.

Finance users appreciate the power user permission set for the freedom it gives them with certain addins. Also finance users tend to be fairly reserved when it comes to installing unauthorised software.

Marketing people need to be able to install all kinds of tools and things, do you really want to be making all of those changes or should you give them admin rights to do it themselves and monitor the pc's (using a script or something) to ensure there is nothing too sketchy on there. Or give them MAC's and tell them to sort themselves out.

Operations teams can usually be given very tight permissions and also tend to mess with stuff a lot so it helps to prevent them from doing so.

IT team all admin on thier own machines and read access to everything (cept business critical and confidential files) this way they can learn their way around the systems and it pays to give that ability to your IT staff.

All of this is situational.

Really you need to evaluate your departments and users and group them in the most simplistic way possible.

The last thing you need is a support team spending all their lives micromanaging permissions and users due to hundreds of tiny requests.

IMO set your permissions to restrict what they dont need, add a little give for what they might need and everything they need to do their jobs.

PS I am all for giving users 'Almost' full internet access and checking the reports against the IT policies to ensure nothing is out of line.

As I said all of this is situational and you need to find what will work for you and your business. Consider this just a few ideas to guide you.

 

[spelk]

Thanks for all the comments folks. Gratefully received - soaking the information up like a sponge here.

Another question...

Can you actually use GP to assign domain users as 'Power Users' on the local machines?

Actually, another question...

I've consulted with my IT manager, and they would like me to specify the following:

* Desktop control allowed
* Full access to local hard drives
* Software Installation NOT Allowed
* Existing software Updates Allowed
* Install additional printers Allowed

Is there a way anyone knows to confer these requirements using Group Policy?