Best setup for multiple users?
Ok, here is the situation:
Organization has brand new, nice computer on the Drew Network. Multiple users will have to use this computer to accomplish various tasks. I am looking for the best way to give them the most usability, without allowing them to screw up the computer very much. If it was just a regular XP pro machine not on the Drew Network, I would have created a new user account that everyone would be able to log into. However, since it is on the network I canít really do that.
Right now the way I am doing it is I set my login to be an administrator and the rest of Drew-Ad/Stu to be added to the User group. I am not sure if this is the best option though. One of the things I would like to be able to do, if possible, is to create a common Firefox profile that everyone would use. Under the current implementation, however, every new user starts with the original default profile. The only way that I can think of right now to give everyone the same profile is to wait until they log in the first time, then copy the profile to their specific firefox directory, which would be quite annoying. Also, I am not sure if the settings for the User group will allow them to run all the programs they will need to (at the moment the list is only things like Dreamweaver, Photoshop, Pagemaker, and Finale, but it will probably expand in the future), but I think making everyone Power Users might allow them to do too much damage to the system. Any suggestions?
Firefox profiles are normally located in c:\documents and settings\username\Application Data\Mozilla\Firefox. If you'd like to set up a default one, you can copy it to C:\Documents and Settings\Default User. The contents of that directory are used as a template for new user profiles when a user first logs in.
If you truly want a common profile, rather than just a template, it looks like you can do that by editing the profiles.ini and pointing it at a common directory that lives outside of the user profiles. Then just put your modified profiles.ini in the Default User profile.
Many modern applications will run with restricted user access. However, there are a number of poorly designed apps out there that try to write files into c:\program files or make registry entries in HKEY_LOCAL_MACHINE. These will fail because a restricted user only has the ability to write within their user profile, and update the registry under HKEY_CURRENT_USER. In most cases, you can work around those apps by setting permissions on those program directories or registry keys to allow all users to write. You can do that by right clicking on a folder or key in regedit and selecting the Security tab.
Ok, so the setup seems to be working well, but I have a slight follow up question. Though I consider myself to be decently proficient with computers, I donít like the idea of using an administrator account for regular computer usage. Is there any solution that would allow me to retain administrator rights on my ulogin for when I needed to install programs, etc, but also be able to have restricted access for myself for regular computer usage?
Windows doesn't allow you to have one account with admin privs that you can switch on "on demand" during a Windows session but are normally disabled... However, if you are willing to have another login/password for administrative usage, you can use the Run As facility to selectivity run programs as a different user (even one with more privs than you) from within your Windows session.
In this scenario, you would set up your uLogin account as a restricted Windows user. When you need to run a setup program or other app that requires higher privileges, right click on the app, and select the Run As option, putting in the login and password for a different account that has admin rights.. Typically, you'd just use the local Administrator account for this. The Run As option should show up on the right click menu for anything on the Start menu or any executables that you browse to through Explorer.
If you like doing stuff from the command line, there is a runas command there as well:
runas /user:MACHINENAME\Administrator explorer.exe
will popup a Windows Explorer user running as the local Admin account for instance after prompting you to enter the Admin password.
There are a few limitations to Run As. Not all programs can run under Run As, but it is good enough that you can probably do about 95% of what you need to do without having to logout of the workstation entirely and in as Admin. Also, even though Windows makes it look like you have all these program windows happily coexisting on the same desktop but running as different people, each separate user is still isolated to a certain extent. You can't drag/drop between program windows "owned" by different users, for instance.
Also, http://nonadmin.editme.com/ has some nice tips on working from within a least privilege user account in Windows.
http://blogs.msdn.com/aaron_margosis...23/163229.aspx has some tips on using RunAs.
|All times are GMT -4. The time now is 05:19 AM.|
Powered by vBulletin® Version 3.5.7
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Drew University is not responsible for the content of posts made on this site. All posts and comments reflect the opinion of the author.