Is there a net admin in the house?

[Tog]

We've run into an issue here at work. Our computers were "secured" by a guy that knew how to set up domains and user permissions by reading a few magazine articles. He's no longer with us, and we undo what he's done.

The server is running Windows Enterprise 2003 I think. We have his password but after that, we're sort of lost as to what to do. My MSCE bootcamp class from 10 years ago really isn't helping.

The main thing we need to do is get all of the users back to one single username so that everyone can access everything equally without having to change passwords constantly.

[Celestial Mechanic]

[Snip!] The main thing we need to do is get all of the users back to one single username so that everyone can access everything equally without having to change passwords constantly.

You do mean one single username (or user ID) per person, don't you? A single user ID shared by all users is a recipe for disaster.

[nauthiz]

I'd stay away from that, too. With everyone on a single username, you're going to have a harder time detecting and managing any sort of security breach. You also have to worry about making every single employee learn a new password if you want to do important things like locking ex-employees out of the network. (It might also turn out to be problematic in all sorts of ways if your company ever ends up in litigation.)

What you probably want to do is get rid of the policy that says everyone has to change their password all the time. Also stick everyone in a security group together; that way you can set a group policy saying that everyone can read and write each others' files by default. As far as how specifically to do that, I'm not sure. You'd have to ask a Windows guy.

[Tog]

No, I mean one username for everyone. That's the way we had it set up before and everything worked fine. Once it was set up so that we had multiple users the network speed dropped like a rock. Two computers are having serious connectivity issues. The Palm that the maint. guy is supposed to use to see his jobs each day can only be used by one user, yet we all need access to it.

We have a total of 8 people that work there that access a total of 4 computers. There are three that know how to do things map network drives and install printers. The rest are all scared to touch anything for fear they'll break stuff. One of those people can't even be set up with their own username because no one here can figure out how to do it under with things the way they are.

I agree that one username per user, with actual permissions is the best way to go, but it's honestly not practical for us.

Besides, We'd need to undo the mess he made to do it right anyway.

[BigDon]

You have all the right liscensing fees for all that Tog?

[Tog]

Yeah, none of that is an issue.

[BigDon]

If nobody can give you a good answer by the time Lil Bro gets off works tonight I'll ask him for you.

(He's a server and VM-ware Subject Matter Expert for NASA's Constellation Project. He might be able to help. Willing to is a seperate issue. )

[BigDon]

Also, he gets "funny" when I talk about what he does over the internet so before I show him this thread I'll edit these to posts to say something else.

[mugaliens]

No, I mean one username for everyone. That's the way we had it set up before and everything worked fine.

Tog, this may be what you want, as it worked for you in the past. It is not what you need. What you need is for everyone to be able to access public files on your server, while personal files, those belonging to each user, are accessable only by that user.

This is done by managing the share permissions of the folders on your server.

It's fairly simple, really, for one who has set/reset folder permissions a couple of thousands of times. But I've spent 2 hours on the phone talking bright, computer literate people through resetting folder permissions on a little as 3 folders only to find out later they've royally jacked things up (and blamed me for it )

You need to hire an MCP (Microsoft Sertified Professional) whose certification is in Windows Server NT 4.0, 2000, 2003, or XP. The permissions are handled much the same way throughout these platforms.

I wouldn't tell him what you want done (he'll probably do it). Rather, tell him your goal:

1. Desire to retain currently separate logons.

2. Desire for everyone to be able to access common files.

3. Desire for each user to have access to their own individual folder on the server.

If you don't need #3, it simplifies things alot, as you just share the common folder NOT with everyone, but with the user group or domain of your company.

Ensure you make regularly and frequent backups, as 40% of all major snafus involve disgruntled employees, and it's always the companies who say, "I'll never happen to us - we all know each other" are the ones who wind up wondering how in the world they're going to rebuild the last five years of hard work.

Additionally, I'd recommend you plan for, budget, and fund a network security audit. This isn't just to keep the baddies out. It's also to identify things like the fact that you're balancing your company's existence on an operating system that's three generations old, with questionable security controls (did you factor in physical security? One swift kick to your server...)

In short, you don't know it, but you're sitting on a time bomb. Fix it now, the right way, while it's both easy and cheap.

[Tog]

I understand and agree with all of that. But it won't happen.

We had a pipe burst in 2005. Water ran through the tower, with the power on for close to two full minutes. The computer shutdown while I was standing in front of it with a garbage can trying to catch the flood of water.

The only thing that stopped working was the phone modem, so that's all that was replaced. I've been arguing for a stable and updated server for years. It won't happen.

When we got this IT guy, I thought there was a chance. Not one thing he tried to do actually worked. We kept in on because he was cheap and knew the right words. That's the way the owner operates.

The way system was before all this was tolerable. We just need a way to undo the changes.

BTW, I am an MCP in Server 4.0 I don't have the faintest idea what this guy did. He told me once that he likes to set up his networks the same way big corporations do. Two sentences later he told me he was completely self taught. I was pretty sure we were doomed before that.

[One Skunk Todd]

Do you know if he set up a domain and Active Directory?

If so log onto the server, click the Start Button, look for "Administrative Tools", click that then click "Active Directory Users and Computers".

Click on the folder labelled Users and you will see a list of all the users and groups. You can delete users from there, and right-clicking on a user name will give you a context menu where you can reset the password for that user and also look at the user properties.

Let's start there and tell me what you see. Be careful to not delete any users or groups that the system needs. In fact, rather than deleting any user you can right-click on the user name and then click "Disable User". This will stop anybody from logging on as that user but you can get it back if you need to.

[One Skunk Todd]

Also, I don't need to know any specifics about your company, user or computer names, IP addresses or any other specifically identifying information. You should NOT post anything like that in this thread.

Related to that, is this network connected to the internet at all? As people have mentioned, your setup is not ideal security-wise, however this is less of a problem if these systems are isolated.

[Tog]

Thanks.

Yes, the system is able to access the internet. There is no way around that.
I'll look for an Active Directory tomorrow.

My thought is that we set up two users. User 1 would be the admin, and user 2 would be the clerks. The clerks would have admin privileges on the local machines. Or limited admin over some of the key bits. Right now, My username is the only one that delete failed jobs from the print queue, along with other things that we really all need to be able to do.

Another application needs to be left running through two different shift changes. It does no good for me to set it up on mine because it won't be active when the morning person logs on.

[One Skunk Todd]

One problem you may have right away is you may not see a button or link for "Administrative Tools" after you click the Start button. You can fix that by:

1. Right-clicking the "Start" button
2. Click "Properties"
3. Click the "Start Menu" tab if it is not already open
4. Click "Customize"
5. Click the "Advanced" tab
6. Under "Start Menu Items" scroll down to the bottom
7. Under the listing for "System Administrative Tools" select "Display on the All Programs menu and the Start menu."
8. Click "Ok" twice.

You should now see a listing for "Administrative Tools" after you click the "Start" button.

[mugaliens]

Small company, huh, Tog? Given your MCP, have you considered setting up a proper network, superordinate to your current one (use much of the same hardware,except a new server (try Open Solaris... free), and just migrate things along in the background until, one day, someone scratches their head and wonders if anything's changed?

[Alan G. Archer]

I really can't offer any suggestions, Tog_, as long as details regarding hardware and network configurations, OS, and software applications are not forthcoming. This includes details on the Palm.