Help ! NT Profile Administration

Help ! NT Profile Administration

Post by BY » Fri, 25 Dec 1998 04:00:00



My NT security administration has been very poorly managed because they are
too many people managing it. I am hoping to distinguish them some as
"Accounts Operator", some as "Server Operator" and eventually 1 or 2 people
only as "Domain Administrator"s on the network.

Below are the problems I am yet to resolve and I would appreciate to receive
any input and suggestions from you.
1.    So far, I have discovered only "domain administrator" can do "copy
profile" process successfully from Start-Settings-Control Panel-System-User
Profiles" menu. My company is using "Mandatory Profile" as the standard
profile type on the network.
I am trying to find out how Account Operators and Server Operators can do it
without fails with error message "Copy Profile Error". So far, the only way
they can do copy profile error without failing is if the source profile user
accounts carries "Everyone" security permission. This discovery certainly
does not help me much because by default, the security permission of all
profile users are not "Everyone" anyway.

2.    As people who are assigned as Account Operators or Server Operators
individually are not coming from the same department. This has complicated
my security design. I am hoping that any changes made by Account Operators
can be controlled/managed/audited by Server Operators and Domain
Administrators. I am hoping that Account Operators cant look at and amend
any changes made by Server Operators and Domain Administrators.

Are these 2 features achievable at all ? Your contribution to my concerns
would be highly appreciated.

Thanks.

 
 
 

Help ! NT Profile Administration

Post by A. Feine » Tue, 29 Dec 1998 04:00:00


You can change the permissions on the profile directory and grant the user a
full control. He will then be able to copy his profile.

--


>My NT security administration has been very poorly managed because they are
>too many people managing it. I am hoping to distinguish them some as
>"Accounts Operator", some as "Server Operator" and eventually 1 or 2 people
>only as "Domain Administrator"s on the network.

>Below are the problems I am yet to resolve and I would appreciate to
receive
>any input and suggestions from you.
>1.    So far, I have discovered only "domain administrator" can do "copy
>profile" process successfully from Start-Settings-Control Panel-System-User
>Profiles" menu. My company is using "Mandatory Profile" as the standard
>profile type on the network.
>I am trying to find out how Account Operators and Server Operators can do
it
>without fails with error message "Copy Profile Error". So far, the only way
>they can do copy profile error without failing is if the source profile
user
>accounts carries "Everyone" security permission. This discovery certainly
>does not help me much because by default, the security permission of all
>profile users are not "Everyone" anyway.

>2.    As people who are assigned as Account Operators or Server Operators
>individually are not coming from the same department. This has complicated
>my security design. I am hoping that any changes made by Account Operators
>can be controlled/managed/audited by Server Operators and Domain
>Administrators. I am hoping that Account Operators cant look at and amend
>any changes made by Server Operators and Domain Administrators.

>Are these 2 features achievable at all ? Your contribution to my concerns
>would be highly appreciated.

>Thanks.


 
 
 

Help ! NT Profile Administration

Post by Mark Morro » Wed, 30 Dec 1998 04:00:00


The account operators group functions with rights to manage user and group
security through User Manager for domains.  Any members of server operators
will not be allowed to manage user security unless said user is a member of
account operators or domain admin.  Changes in user security can be audited
by enabling auditing from user manager and selecting what to audit.ie User
and Group Management.

>You can change the permissions on the profile directory and grant the user
a
>full control. He will then be able to copy his profile.

>--


>>My NT security administration has been very poorly managed because they
are
>>too many people managing it. I am hoping to distinguish them some as
>>"Accounts Operator", some as "Server Operator" and eventually 1 or 2
people
>>only as "Domain Administrator"s on the network.

>>Below are the problems I am yet to resolve and I would appreciate to
>receive
>>any input and suggestions from you.
>>1.    So far, I have discovered only "domain administrator" can do "copy
>>profile" process successfully from Start-Settings-Control
Panel-System-User
>>Profiles" menu. My company is using "Mandatory Profile" as the standard
>>profile type on the network.
>>I am trying to find out how Account Operators and Server Operators can do
>it
>>without fails with error message "Copy Profile Error". So far, the only
way
>>they can do copy profile error without failing is if the source profile
>user
>>accounts carries "Everyone" security permission. This discovery certainly
>>does not help me much because by default, the security permission of all
>>profile users are not "Everyone" anyway.

>>2.    As people who are assigned as Account Operators or Server Operators
>>individually are not coming from the same department. This has complicated
>>my security design. I am hoping that any changes made by Account Operators
>>can be controlled/managed/audited by Server Operators and Domain
>>Administrators. I am hoping that Account Operators cant look at and amend
>>any changes made by Server Operators and Domain Administrators.

>>Are these 2 features achievable at all ? Your contribution to my concerns
>>would be highly appreciated.

>>Thanks.

 
 
 

1. Administration of NT help required

Hello,

Can anyone provide me with examples of how they've set up access for
administrators in NT.  I work for a large company who are moving to NT and
we have quite a few different groups responsible for administoring the
network.  Using the "Administrator" account makes it had to track so
currently administrators are getting a personal privileged account created.
 Is there a better way?

There is also a problem with using a privileged and non privileged account.
 Ideally everyone should have a normal account for working (in Word etc)
and they should only log in with the privileged account for certain tasks
but for some groups this would mean constantly going in and out.  We are
not sure of the best way around this problem.  With the Vax network you
just made a telnet connection to the various systems.

I did a web search to find examples of how various companies have set up
policies for administrator accounts but (unsuprisingly) didn't find
anything.  Could anyone here provide me with examples of how they've setup
their networks.

Many thanks,

Michael
--

2. Scheduled Tasks

3. Help: Automated NT Password Administration

4. XP Prof

5. HELP: Need NT Administration Questions

6. Parent ID

7. Help with NT Group Administration

8. Pocket Visual Basic Runtime Files - Version 6

9. Mandatory profiles Administration

10. Any good books on NT administration on NT Laptops ?

11. Roaming user profile in NT delete and go for local user profile???

12. Local NT profiles vs roaming Novell profiles