[WEB4LIB] NT/2000 security question

Dobbs, Aaron DobbsA at apsu.edu
Thu Mar 8 18:44:14 EST 2001 

A couple of quick thoughts:

W2K Server will handle the profiles of all users and machines fine. 
NB: the tools are, mostly, found in different places than where you'd expect
on an NT4 Server.
NB!: the W2K machine will have to be a Domain Controller.  If you install a
W2K Server on the network it will automatically become the PDC.  No if's
and's or but's.  Logically this makes sense, but be sure to be ready for
this when it happens.  (I would consider taking down the "real" or current
PDC and promoting a BDC first then installing the W2K box on the network --
just in case something goes horribly wrong.)

NT4 can handle the profiles for W2K Professional machines when the
workstation is correctly configured (so I'm told)  But, I am also told that
moving production to a pure or "native" W2K domain structure (all DCs are
W2K and in native mode) makes administration a breeze.  In an instructional
environment (contrived, yes) I agree W2K is much easier and far more robust
and granular in its permissions; but don't forget vendor compatibility
issues.

If you've the budget (and a compatible vendor) my suggestion would be to
switch to 100% W2K machines (Server & Workstation) for the following
reasons:
  If you install the machines from a network share the OS provides a
"persistent" file system. (if a user deletes explorer.exe on a workstation -
a required file for Windows to run - the OS realizes it is missing a file,
looks for the network share it used for the original install, copies the
file to itself, and then runs as if it were always there.  Same with M$
applications, if you installed it from a network share and a user deletes
word.exe the next time someone tries to use word.exe the OS notices that it
should be there, goes and gets the file from the original installation
network share (assuming the share is still there), installs it again and
runs it for the user.)
  Users can be assigned software, if you say user 1234 can use a software
package the system will install the software from a network share (if you
tell it to) for that user and allow the user to run it.  If later you decide
that user 1234 should not be able to run the software the OS will remove the
software from the user's profile.  Very neat stuff.

-Aaron
:-)'
Please pipe M$ bashing replies to /dev/null :-)'

Yes they are corporate in all the negative senses, 
but they do make (bloated) products that work without 
requiring end user/administrator kernel recompilation :-)'

-----Original Message-----
From: Tom Edelblute [mailto:thomas at anaheim.lib.ca.us]
Sent: Thursday, March 08, 2001 5:18 PM
To: Multiple recipients of list
Subject: [WEB4LIB] NT/2000 security question


We have an NT server using policy editor and mandatory profiles for
security.  This has worked fine for us on the NT workstations.

We have now received our first shipment of Windows 2000 workstations and
are having problems securing everything we want to using the policy
editor on the NT server.

One of the solutions that has been proposed is to buy a 2000 server.
Does anyone know if it is possible to use a 2000 policy editor with NT
workstation?  Would it be necessary to convert all the NT Workstations
to 2000 Workstations?  Or will the 2000 Policy editor be able to
accomodate NT Workstations without problem?  Anybody have any thoughts?
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Tom Edelblute
Public Access Systems Coordinator
Anaheim Public Library   phone: (714) 765-1759
500 West Broadway        fax:   (714) 765-1730
Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us

More information about the Web4lib mailing list