Drew Community  

Go Back   Drew Community > General Forums > Technology Discussion
uLogin ID  
Password
FAQ Members List Calendar Search Today's Posts Mark Forums Read


Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 07-01-2005, 09:08 AM
Gary A. Hochman
 
Posts: n/a
Default Best setup for multiple users?

Ok, here is the situation:
Organization has brand new, nice computer on the Drew Network. Multiple users will have to use this computer to accomplish various tasks. I am looking for the best way to give them the most usability, without allowing them to screw up the computer very much. If it was just a regular XP pro machine not on the Drew Network, I would have created a new user account that everyone would be able to log into. However, since it is on the network I canít really do that.

Right now the way I am doing it is I set my login to be an administrator and the rest of Drew-Ad/Stu to be added to the User group. I am not sure if this is the best option though. One of the things I would like to be able to do, if possible, is to create a common Firefox profile that everyone would use. Under the current implementation, however, every new user starts with the original default profile. The only way that I can think of right now to give everyone the same profile is to wait until they log in the first time, then copy the profile to their specific firefox directory, which would be quite annoying. Also, I am not sure if the settings for the User group will allow them to run all the programs they will need to (at the moment the list is only things like Dreamweaver, Photoshop, Pagemaker, and Finale, but it will probably expand in the future), but I think making everyone Power Users might allow them to do too much damage to the system. Any suggestions?
Reply With Quote
  #2  
Old 07-01-2005, 11:06 AM
E. Axel Larsson's Avatar
E. Axel Larsson E. Axel Larsson is offline
Moderator
 
Join Date: Jun 2005
Location: Madison, NJ
Posts: 303
Default

Quote:
Originally Posted by Gary A. Hochman
Ok, here is the situation:
Organization has brand new, nice computer on the Drew Network. Multiple users will have to use this computer to accomplish various tasks. I am looking for the best way to give them the most usability, without allowing them to screw up the computer very much. If it was just a regular XP pro machine not on the Drew Network, I would have created a new user account that everyone would be able to log into. However, since it is on the network I canít really do that.

Right now the way I am doing it is I set my login to be an administrator and the rest of Drew-Ad/Stu to be added to the User group. I am not sure if this is the best option though. One of the things I would like to be able to do, if possible, is to create a common Firefox profile that everyone would use. Under the current implementation, however, every new user starts with the original default profile. The only way that I can think of right now to give everyone the same profile is to wait until they log in the first time, then copy the profile to their specific firefox directory, which would be quite annoying. Also, I am not sure if the settings for the User group will allow them to run all the programs they will need to (at the moment the list is only things like Dreamweaver, Photoshop, Pagemaker, and Finale, but it will probably expand in the future), but I think making everyone Power Users might allow them to do too much damage to the system. Any suggestions?
What you are doing makes the most sense, however, I would use the DREW-AD\Student role, or just DREW-AD\Domain Users (that gets everyone) rather than Stu. The Stu group is a legacy group and is only updated when users are created, whereas Student will be updated whenever people change status automatically.

Firefox profiles are normally located in c:\documents and settings\username\Application Data\Mozilla\Firefox. If you'd like to set up a default one, you can copy it to C:\Documents and Settings\Default User. The contents of that directory are used as a template for new user profiles when a user first logs in.

If you truly want a common profile, rather than just a template, it looks like you can do that by editing the profiles.ini and pointing it at a common directory that lives outside of the user profiles. Then just put your modified profiles.ini in the Default User profile.

Many modern applications will run with restricted user access. However, there are a number of poorly designed apps out there that try to write files into c:\program files or make registry entries in HKEY_LOCAL_MACHINE. These will fail because a restricted user only has the ability to write within their user profile, and update the registry under HKEY_CURRENT_USER. In most cases, you can work around those apps by setting permissions on those program directories or registry keys to allow all users to write. You can do that by right clicking on a folder or key in regedit and selecting the Security tab.
__________________
E. Axel Larsson
Systems Architect and Director of the Enterprise Technology Center
Reply With Quote
  #3  
Old 07-13-2005, 02:40 PM
Gary A. Hochman
 
Posts: n/a
Default follow up

Ok, so the setup seems to be working well, but I have a slight follow up question. Though I consider myself to be decently proficient with computers, I donít like the idea of using an administrator account for regular computer usage. Is there any solution that would allow me to retain administrator rights on my ulogin for when I needed to install programs, etc, but also be able to have restricted access for myself for regular computer usage?
Reply With Quote
  #4  
Old 07-13-2005, 09:32 PM
E. Axel Larsson's Avatar
E. Axel Larsson E. Axel Larsson is offline
Moderator
 
Join Date: Jun 2005
Location: Madison, NJ
Posts: 303
Default

Windows doesn't allow you to have one account with admin privs that you can switch on "on demand" during a Windows session but are normally disabled... However, if you are willing to have another login/password for administrative usage, you can use the Run As facility to selectivity run programs as a different user (even one with more privs than you) from within your Windows session.

In this scenario, you would set up your uLogin account as a restricted Windows user. When you need to run a setup program or other app that requires higher privileges, right click on the app, and select the Run As option, putting in the login and password for a different account that has admin rights.. Typically, you'd just use the local Administrator account for this. The Run As option should show up on the right click menu for anything on the Start menu or any executables that you browse to through Explorer.

If you like doing stuff from the command line, there is a runas command there as well:

runas /user:MACHINENAME\Administrator explorer.exe

will popup a Windows Explorer user running as the local Admin account for instance after prompting you to enter the Admin password.

There are a few limitations to Run As. Not all programs can run under Run As, but it is good enough that you can probably do about 95% of what you need to do without having to logout of the workstation entirely and in as Admin. Also, even though Windows makes it look like you have all these program windows happily coexisting on the same desktop but running as different people, each separate user is still isolated to a certain extent. You can't drag/drop between program windows "owned" by different users, for instance.
__________________
E. Axel Larsson
Systems Architect and Director of the Enterprise Technology Center
Reply With Quote
  #5  
Old 07-13-2005, 09:44 PM
E. Axel Larsson's Avatar
E. Axel Larsson E. Axel Larsson is offline
Moderator
 
Join Date: Jun 2005
Location: Madison, NJ
Posts: 303
Default More tips

Also, http://nonadmin.editme.com/ has some nice tips on working from within a least privilege user account in Windows.

http://blogs.msdn.com/aaron_margosis...23/163229.aspx has some tips on using RunAs.
__________________
E. Axel Larsson
Systems Architect and Director of the Enterprise Technology Center
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 09:07 AM.


Powered by vBulletin® Version 3.5.7
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

Drew University is not responsible for the content of posts made on this site. All posts and comments reflect the opinion of the author.