[WEB4LIB] RE: Windows 2000 profiles

[Mike McDermott]

"Dobbs, Aaron" wrote:
> 
> The issue is not one of security or insecurity.  

Sure it is - If windows is supposed to be getting its lockdown
configuration from the Active Directory and doesn't get it, but happily
starts up and runs without the security settings, its a security issue on
the local machine(s).

> The issue is not one of security or insecurity.  The problem you are facing
> is caused by an insufficient number of DCs (assuming a native mode 200
> network) or BDCs (assuming you have a mixed mode 2000 or nt4 only network).
> Promoting more servers (that are not used for "outside" connections, of
> course) to DCs (in a 2000 network) or creating more BDCs (in an mixed or NT4
> network) will allay your difficulties.  Also consider upgrading the hardware
> in your DCs or PDC & BDCs -- if the servers are more than a year or two old
> you seriously need more speed, especially when many layers of system
> policies (or active directory security policies) are applied.
> 
> Network design-wise the fewer levels of permissions applied/processed the
> faster the logons. (an obvious, but sometimes ignored observation)  A slow
> PDC & fast BDCs will still have problems because the PDC is being hit for
> policies, consider sychronizing all BDCs, turning off the PDC, promoting the
> newest (I assume fastest here) BDC to PDC, bring the old PDC back up as a
> BDC.
> 
> So the short sell to management would be:  "We need an addiional Domain
> Controller to handle logon traffic for our public machines.  The capital
> outlay would be minimal if we promoted one of our internal servers (print or
> file server, perhaps, though a dedicated server would be even better) to
> Domain Controller.  ROI for switching to W2K server (leaving out the whole
> OpenSource arguments here) is: more control can be maintained with fewer
> dedicated resources/manhours, freeing up personnel to do other things."  I'm
> sure you can come up with better reasoning, I'm at the information desk
> doing this :-)'
> 
> Aaron W. Dobbs
> Network Services Librarian
> Felix G. Woodward Library
> Austin Peay State University
> 
> -----Original Message-----
> From: Tom Edelblute [mailto:thomas at anaheim.lib.ca.us]
> Sent: Friday, October 12, 2001 1:02 PM
> To: Multiple recipients of list
> Subject: [WEB4LIB] Windows 2000 profiles
> 
> I would like to test a theory out with the infinite wisdom gathered on
> this listserv.
> 
> We have a number of user restrictions set in the Windows 2000 server
> active directory.  These restrictions keep selected computers from going
> out onto the open Internet.  We do this by setting the proxy server to
> x.x.x.x and a list of exceptions for our subscription databases.  We
> tell our Internet people to go to the computer lab.
> 
> The problem is that sometimes we log in and get the desk top we want to
> see but none of the security restrictions.  It appears that this happens
> when we log several computers in at once.  One of my Systems Specialists
> is now telling the Librarians that they have to wait for the computer
> they are logging in to come all the way up before they log in the next
> one.
> 
> We never had this problem with NT.  Is Windows 2000 really that
> insecure?  How am I going to sell this to management?  Is there
> something else that we are missing that we should be doing?
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Tom Edelblute
> Public Access Systems Coordinator
> Anaheim Public Library   phone: (714) 765-1759
> 500 West Broadway        fax:   (714) 765-1730
> Anaheim CA 92805         e-mail: thomas at anaheim.lib.ca.us

-- 
Mike McDermott                     <mmcderm2 at bowdoin.edu>
Bowdoin College Library
3000 College Station
Brunswick, Maine 04011-8421                (207) 725-3856