Local accounts for domain users best practice
|
Prev: Remove WMI filter
Next: Search in WSS3.0 in SBS 2008
From: SteveM on 25 Feb 2010 18:11 CourtK wrote: > Some of our clients want to be able to install software and we have to oblige. Some of our clients also want to engage in activities which are dangerous to their networks. It doesn't mean we have to oblige. Instead, we talk them through the consequences of what they want. Mostly they relent, in the knowledge they are doing the right thing. If they don't we have them sign up to a disclaimer which absolves us from any responsibility for their chosen actions (in other words, they have to pay extra for us to fix the mess they - inevitably - create).
From: CourtK on 25 Feb 2010 18:16 Rather than using my nomenclature I'll describe the steps involed for the two ways to add a domain user within Vista. 1) Click Start \ Control Panel \ User Accounts \ User Accounts \ Manage User Accounts \ Add \ type user name \ type domain \ select Administrator (or whatever) \ Finish or 2) Click Start \ Control Panel \ User Accounts \ User Accounts \ Manage User Accounts \ Advanced tab \ Advanced button \ expand Groups \ double click Administrators \ click Add \ type domain user \ click OK Which one is best practice? "CourtK" <noreply(a)noreply.com> wrote in message news:ubrEU3mtKHA.928(a)TK2MSFTNGP04.phx.gbl... > Add a domain user to a workstation and allow them to install software and > hardware without IT intervention. > > > "kj [SBS MVP]" <KevinJ.SBS(a)SPAMFREE.gmail.com> wrote in message > news:OOqnVzmtKHA.4492(a)TK2MSFTNGP05.phx.gbl... >> Going to agree with SteveM here. Your nomenclature usage is just >> confusing. >> >>> So, getting past whether or not to add a domain user to a >>> workstation's local account, >> >> What are you trying to acheive? >> >> >> >> CourtK wrote: >>> I am fairly certain that Microsoft supports adding a domain user to >>> their workstation as a local account, considering Microsoft prompts >>> for it during the join to domain wizard and, during the process to >>> add a local account, I can select domain users in AD. >>> >>> If a local administrator account is used IT doesn't have to be >>> involved when users want to add hardware and software. I believe not >>> adding a domain user to a local account or local group defaults to a >>> user account, which can't do much of anything. Some of our clients >>> want to be able to install software and we have to oblige. >>> >>> So, getting past whether or not to add a domain user to a >>> workstation's local account, which method is best practice; to add a >>> domain user to a workstation's local group or setup a workstation's >>> local account? Could adding a domain user to a local group, and not >>> creating a specific local account, cause local profile issues? >>> >>> >>> >>> "SteveM" wrote in message news:xn0gqtjcf575vd000(a)news.microsoft.com... >>>> CourtK wrote: >>>> >>>>> That is not an option. To clarify even more, this question is >>>>> regarding adding domain users to a local account on a workstation, >>>>> not the SBS server. >>>> >>>> I think you need to explian *why* you want to do this. The responses >>>> you've had are the expected ones - don't make domain users local >>>> admins, and don't set up local admin accounts for them (which will >>>> result in allowing users to circumvent domain restrictions on the >>>> workstation). The whole point of a domain-based network is to enforce >>>> central management and control. If you're going to allow local >>>> control, it undermines the whole secuity model and puts your network >>>> at risk. So, if you can explain what it is you want to achieve, and >>>> why, >>>> people might be able to help you more. >> >> -- >> /kj >> >
From: kj [SBS MVP] on 25 Feb 2010 18:40 CourtK wrote: > Add a domain user to a workstation and allow them to install software > and hardware without IT intervention. This is acheived by adding the domain\user accounts to the workstation local group that has permissions to perform the desired operations. Worksation accounts are authenticated by the worksation and have no rights on the domain. Domain accounts are authenticated on the domain and given (delegated) rights through workstation local group membership. However the side issue remains that workstation users really shouldn't be arbitrarly installing stuff. Unless the user happens to "own and self support" the workstation. It's just a bad practice that should be avoided whenever and however possible. > > > "kj [SBS MVP]" <KevinJ.SBS(a)SPAMFREE.gmail.com> wrote in message > news:OOqnVzmtKHA.4492(a)TK2MSFTNGP05.phx.gbl... >> Going to agree with SteveM here. Your nomenclature usage is just >> confusing. >> >>> So, getting past whether or not to add a domain user to a >>> workstation's local account, >> >> What are you trying to acheive? >> >> >> >> CourtK wrote: >>> I am fairly certain that Microsoft supports adding a domain user to >>> their workstation as a local account, considering Microsoft prompts >>> for it during the join to domain wizard and, during the process to >>> add a local account, I can select domain users in AD. >>> >>> If a local administrator account is used IT doesn't have to be >>> involved when users want to add hardware and software. I believe >>> not adding a domain user to a local account or local group defaults >>> to a user account, which can't do much of anything. Some of our >>> clients want to be able to install software and we have to oblige. >>> >>> So, getting past whether or not to add a domain user to a >>> workstation's local account, which method is best practice; to add a >>> domain user to a workstation's local group or setup a workstation's >>> local account? Could adding a domain user to a local group, and not >>> creating a specific local account, cause local profile issues? >>> >>> >>> >>> "SteveM" wrote in message >>> news:xn0gqtjcf575vd000(a)news.microsoft.com... >>>> CourtK wrote: >>>> >>>>> That is not an option. To clarify even more, this question is >>>>> regarding adding domain users to a local account on a workstation, >>>>> not the SBS server. >>>> >>>> I think you need to explian *why* you want to do this. The >>>> responses you've had are the expected ones - don't make domain >>>> users local admins, and don't set up local admin accounts for them >>>> (which will result in allowing users to circumvent domain >>>> restrictions on the workstation). The whole point of a >>>> domain-based network is to enforce central management and control. >>>> If you're going to allow local control, it undermines the whole secuity >>>> model and puts your >>>> network at risk. So, if you can explain what it is you want to achieve, >>>> and why, people might be able to help you more. >> >> -- >> /kj -- /kj
From: Joe on 26 Feb 2010 06:52 CourtK wrote: > I am fairly certain that Microsoft supports adding a domain user to > their workstation as a local account, considering Microsoft prompts for > it during the join to domain wizard and, during the process to add a > local account, I can select domain users in AD. > We seem to be fumbling towards understanding here, but this is one point that should be clarified: when the connectcomputer wizard asks you to designate users, it is *not* creating local accounts. It is changing some group memberships, not in an optimal way, and it is migrating any previous local profile of that name so as to be utilised in a domain logon. That is not the same as creating a local account. Local accounts in a domain are as welcome as... no, I'll stop there. *Not* welcome. I'm sure you don't want to be lectured on security, but your subject line does include the phrase 'best practice'. Whether your clients wish to hear it or not, 'best practice' includes *never* giving users administrative logons. With Vista, that is finally possible, as there is almost no job that actually requires an admin to be logged on. So those users who can be trusted can be given partial administrative accounts to use *from* their unprivileged accounts. And that's *domain* accounts, which can be controlled by policy, and which the user cannot reconfigure easily. That's not some theoretical ideal, a 'do as I say but not as I do' proposition. I'm sitting now at one of my computers, my own personal property, to which I've never logged in as administrator since the day it was installed, and I never expect to do so. I do a lot more admin work on it than most 'power users' ever do, but I take admin privileges only for the duration of a particular job, in one window of my desktop. I have no boss, so it's not control freakery, it's common sense. Quite apart from security, another 'best practice' is to maintain the workstations of a network in as uniform and unconfigured a state as possible, to make life much easier when one breaks. Ideally they should all be identical, but for some reason, probably quantum, that doesn't seem to be possible. Even if each user only ever logs on to one machine, it's still a good idea. Do all the individual configuration using domain facilities, that's what they're for. Altering the logon permissions of a couple of users is a whole lot easier than looking up the documentation (!) for a couple of machines and installing software and adjusting one to match what the other used to be. -- Joe
From: Steve Foster on 26 Feb 2010 10:44
CourtK wrote: >We have some clients that have the domain user in a local administrator >group only, no local account. What are best practices for adding domain >users to the workstations? In an environment where the users do not need >roaming profiles, is it advantageous to set up local accounts for the >domain user? Could not having a local account cause the profile to be >volatile? Best Practices: 1) *never* create local accounts, ever. 2) disable (via GPO) the pre-installed local Administrator and Guest accounts (<Local>\Guest is disabled by default). 3) don't grant users administrative privileges anywhere. SBS2003 deviates from the above, in that it routinely assigns users local administrative privileges (for the PC assigned to the user at user creation). SBS2008 doesn't make this mistake any more. By default, all domain user accounts can log on to any domain-joined workstation. Nothing needs to be done to any workstation to achieve this (beyond the original joining to the domain). The decision on whether to roam or not to roam domain user profiles is entirely unconnected with the above. -- Steve Foster ------------ Please reply only to the newsgroups. For SSL Certificates, Domains, etc, visit.: https://netshop.virtual-isp.net |