[WEB4LIB] Windows 2000 profiles

Dobbs, Aaron DobbsA at apsu.edu
Mon Oct 15 11:52:12 EDT 2001 

The issue is not one of security or insecurity.  The problem you are facing
is caused by an insufficient number of DCs (assuming a native mode 200
network) or BDCs (assuming you have a mixed mode 2000 or nt4 only network).
Promoting more servers (that are not used for "outside" connections, of
course) to DCs (in a 2000 network) or creating more BDCs (in an mixed or NT4
network) will allay your difficulties.  Also consider upgrading the hardware
in your DCs or PDC & BDCs -- if the servers are more than a year or two old
you seriously need more speed, especially when many layers of system
policies (or active directory security policies) are applied.  

Network design-wise the fewer levels of permissions applied/processed the
faster the logons. (an obvious, but sometimes ignored observation)  A slow
PDC & fast BDCs will still have problems because the PDC is being hit for
policies, consider sychronizing all BDCs, turning off the PDC, promoting the
newest (I assume fastest here) BDC to PDC, bring the old PDC back up as a
BDC.  

So the short sell to management would be:  "We need an addiional Domain
Controller to handle logon traffic for our public machines.  The capital
outlay would be minimal if we promoted one of our internal servers (print or
file server, perhaps, though a dedicated server would be even better) to
Domain Controller.  ROI for switching to W2K server (leaving out the whole
OpenSource arguments here) is: more control can be maintained with fewer
dedicated resources/manhours, freeing up personnel to do other things."  I'm
sure you can come up with better reasoning, I'm at the information desk
doing this :-)'


Aaron W. Dobbs
Network Services Librarian
Felix G. Woodward Library
Austin Peay State University



-----Original Message-----
From: Tom Edelblute [mailto:thomas at anaheim.lib.ca.us]
Sent: Friday, October 12, 2001 1:02 PM
To: Multiple recipients of list
Subject: [WEB4LIB] Windows 2000 profiles


I would like to test a theory out with the infinite wisdom gathered on
this listserv.

We have a number of user restrictions set in the Windows 2000 server
active directory.  These restrictions keep selected computers from going
out onto the open Internet.  We do this by setting the proxy server to
x.x.x.x and a list of exceptions for our subscription databases.  We
tell our Internet people to go to the computer lab.

The problem is that sometimes we log in and get the desk top we want to
see but none of the security restrictions.  It appears that this happens
when we log several computers in at once.  One of my Systems Specialists
is now telling the Librarians that they have to wait for the computer
they are logging in to come all the way up before they log in the next
one.

We never had this problem with NT.  Is Windows 2000 really that
insecure?  How am I going to sell this to management?  Is there
something else that we are missing that we should be doing?
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tom Edelblute
Public Access Systems Coordinator
Anaheim Public Library   phone: (714) 765-1759
500 West Broadway        fax:   (714) 765-1730
Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us

More information about the Web4lib mailing list