Originally Posted by Gary A. Hochman
Ok, here is the situation:
Organization has brand new, nice computer on the Drew Network. Multiple users will have to use this computer to accomplish various tasks. I am looking for the best way to give them the most usability, without allowing them to screw up the computer very much. If it was just a regular XP pro machine not on the Drew Network, I would have created a new user account that everyone would be able to log into. However, since it is on the network I canít really do that.
Right now the way I am doing it is I set my login to be an administrator and the rest of Drew-Ad/Stu to be added to the User group. I am not sure if this is the best option though. One of the things I would like to be able to do, if possible, is to create a common Firefox profile that everyone would use. Under the current implementation, however, every new user starts with the original default profile. The only way that I can think of right now to give everyone the same profile is to wait until they log in the first time, then copy the profile to their specific firefox directory, which would be quite annoying. Also, I am not sure if the settings for the User group will allow them to run all the programs they will need to (at the moment the list is only things like Dreamweaver, Photoshop, Pagemaker, and Finale, but it will probably expand in the future), but I think making everyone Power Users might allow them to do too much damage to the system. Any suggestions?
What you are doing makes the most sense, however, I would use the DREW-AD\Student role, or just DREW-AD\Domain Users (that gets everyone) rather than Stu. The Stu group is a legacy group and is only updated when users are created, whereas Student will be updated whenever people change status automatically.
Firefox profiles are normally located in c:\documents and settings\username\Application Data\Mozilla\Firefox. If you'd like to set up a default one, you can copy it to C:\Documents and Settings\Default User. The contents of that directory are used as a template for new user profiles when a user first logs in.
If you truly want a common profile, rather than just a template, it looks like you can do that by editing the profiles.ini and pointing it at a common directory that lives outside of the user profiles. Then just put your modified profiles.ini in the Default User profile.
Many modern applications will run with restricted user access. However, there are a number of poorly designed apps out there that try to write files into c:\program files or make registry entries in HKEY_LOCAL_MACHINE. These will fail because a restricted user only has the ability to write within their user profile, and update the registry under HKEY_CURRENT_USER. In most cases, you can work around those apps by setting permissions on those program directories or registry keys to allow all users to write. You can do that by right clicking on a folder or key in regedit and selecting the Security tab.