Problems with local security on Win2000 server

[deik313]

Hi ... I'm new to this board and somewhat new to the Windows server world (remember Netware?). I have a Win2k domain controller, and 50 XP/Pro clients. Does anyone know what Win2000 does to the XP clients when a computer is added to the domain as far a security? Does it take over the security already established by the XP OS?

The reason I ask is because since I added my computers to the domain, all of the local users on the workstation have full security on the Documents and Settings folder, and can see eachothers' profiles and documents. I believe the XP machines are all FAT32...do I need to convert them to NTFS? Is there an easy way to do that? Is there any way to get my securities back without doing this?

Also, I'm using roaming profiles and am having trouble with keeping printer connections. I've tried using a VBS script to assign the printer, but it's not working.

Thanks for ANY help you can give! =)
dei

[ecross]

I don't know if that's your problem or not, but you can easily convert FAT32 to NTFS.

You can simply type at the command prompt:
convert <drive>: /FS:NTFS

No need to backup. However, once you convert to NTFS you cannot simply go back.

[deik313]

Is there any reason why I would NOT want to convert to NTFS?

[Rapmaster]

If you use FAT32, there is no security at the file level. So yes this is the reason.

The only real reason you would not want to convert to NTFS is that you can't use a DOS boot disk to get into the drive if something should go wrong. But you can always put the disk into another machine or install a second installation of XP so no big deal.
NTFS is more secure and more efficient.

This really has nothing to do with adding them to the domain-- although doing so will result in changes to security policies and some changes to local group memberships (i.e. domain administrators become admins of the local machine)

[deik313]

So, if I convert to NTFS, I will be able to set permissions so that only the user who created the file will be able to see it? (XP did that automatically when the computer was standalone. So, it had some security capabilities...hmmm, this is confusing.)

When I added the computer to the domain, I did not make the users domain admins...I used my account, which is a domain admin, to add the computer. When each of the users logged in, their profiles were created, and they had full rights to everyone else's profile! Could I have inadvertently changed the local group memberships or security policies somehow?

dei

[Rapmaster]

Because the volume was FAT32, anyone logged into the computer can get into any folder. There is no filesystem security with FAT32.

If you convert to NTFS, you will need to go and manually assign permissions to existing folders. If you had been using NTFS beforehand, the appropriate permissions would have been setup automatically. There are some templates you can apply to configure these permissions after the fact, but I don't recall where to find them

Everything you are describing it perfectly ordinary for a FAT32 system. I wouldn't worry too much about them getting into each others profiles: from a security standpoint, anything sensitive should be stored on a server somewhere. The only things in the individual user profiles on each workstation should be boring things like desktop icons and Start Menu setting etc. I'd be more concerned about restricting "Write" access to the \WINNT (Windows) and other system folders.

To clarify: I am NOT saying you should make your users into Domain Admins (!). I mean that the exsiting domain admin group will be added to the local Administrators group on each workstation in the domain. (Allowing you and your IT colleagues to perform admin functions on the machine using your domain accounts, instead of needing to remember each machines "Administrator" account password.) Anyway, this should happen automatically when you join the workstation to the domain.

[deik313]

You were right!! Okay...I'm really excited! I converted all my workstations to NTFS today. Once I did this...voila! All the profile securities were there. WOOOOHOOOOO!! This has been a big problem in our environment, because the users are students, and they are brutal on eachother's files (deleting them, changing them, using them as their own, etc...). We have been keeping all of the files in their MyDocuments folder and have implemented roaming profiles. I left it this way because I the kids are familiar with the MyDocuments folder, and I didn't want them to have to learn to copy to another drive. Maybe we need to consider mapping them to a home folder on the server and have them store them there instead.

So far the only permissions I've had to grant on local applications are for older apps that are not Microsoft. We have an older typing program that I had to give all users Full rights to because it wouldn't work right. Word and Excel work fine, and other MS apps like Pagemaker and Access are okay (I think). Do you know what other securities I will need to put into place as far as the local applications go? I definitely will protect the system folders and other important application directories, but I'm not sure I know of them all.

I am sooooooo relieved to at least have found that the conversion took care of the profile securities (maybe this is because I had them roaming?). If I have to individually set other permissions, that's okay...I'll handle them as I come across them.

Thanks for you help!
dei

[Rapmaster]

Usually, the \WINNT or \Windows folder is restricted so that only admins can write to it. Same with \Program Files. Everyone else would have Read and Execute. It does a few other weird things with special permissions on some folders that are too complicated to explain here, but that's the general idea.

Like I said, you may need to set this up manually or apply a template, because you converted from FAT32. If you had used NTFS when you installed Windows, this would already be set up.

It's definetely a good idea to map My Documents over to a server: it provides better security and a way to restore backups if necessary. And students can sit at whatever PC they want instead of being tied to a specific machine.

[deik313]

Rapmaster, you have helped me so much on this problem...is there a way on this forum to give a person "credit" for answers given?

Dei

[Rapmaster]

I'm not looking for credit. A thanks is more than enough

Just make sure you help someone else if you find a question that you know the answer to. That's how it works.

good luck

oh and look here: http://support.microsoft.com/?kbid=237399

[deik313]

Then...Thanks!
Dei

thanks for the link too...I printed out the document...very helpful!