|
Main Menu:
|
|
|
|
Delete logfiles older than
|
Use this function to delete logfiles of ComputerNames deleted from Your Domains
ServerManager. The button deletes all logfiles, but they are regenerated from
W2kLocalGroupRights.exe running on Your clients LoginScript.
|
|
Activate / Disable Configura-tionfiles
|
The 8 txt-files (1-LR) – (4NR) holding ComputerNames, DomainUserNames and LocalUserNames dosn’t work before You Activates them.
Activating is done for each of the
built-in local groups on the W2k-clients:
Administrators, Backup operators, Guests, Power Users, Replicator and Users.
If You want to disable one or more of the 8 txt-files, don’t delete the
file(s), just Disable /them.
Activating/Disabling the txt-files works from the next run of W2kLocalGroup-Rights.exe
on Your clients LoginScript.
|
|
(1-LR)
|
YES: DomainUsers using ComputerNames in
£’Computer’-DomainUserYes.txt
For each activated local group one
txt-file for each computer holding the DomainUserNames You want to create as a member of the activated built-in local group on this computer.
We recommend using this LowRisk ConfigurationRule
|
|
(1-NR)
|
NO: DomainUsers using ComputerNames in £’Computer’-DomainUserNo.txt
For each activated local group one
txt-file for each computer holding the DomainUserNames You want to remove from the activated built-in local group on this computer.
|
|
(2-LR)
|
YES: LocalUsers using ComputerNames in
£’Computer’-LocalUserYes.txt
For each activated local group one
txt-file for each computer holding the LocalUserNames You want to create as a member of the activated built-in local group on this computer.
|
|
(2-NR)
|
NO: DomainUsers using ComputerNames in £’Computer’-LocalUserNo.txt
For each activated local group one
txt-file for each computer holding the LocalUserNames You want to remove from the activated built-in local group on this computer.
|
|
(3-HR)
|
YES: Everybody using Computernames in £ComputerNameYes.txt
For each activated local group one
txt-file holding the ComputerNames where You want to create everybody who logins as a member of the activated built-in local
group on these computers.
Warning:
Only use this HighRisk ConfigurationRule
on computers where a lot of users logins. Everyone who logins to these
computers, gains total admin-power over all the other computers in this file,
if You activates it for the built-in local Administrators group.
|
|
(3-NR)
|
NO: Nobody using Computernames in £ComputerNameNo.txt
For each activated local group one txt-file holding the ComputerNames where You want to remove every DomainUser (who logins) from the activated built-in local group on these
computers.
|
|
(4-HR)
|
YES: The user on any Computer if DomainUser in £DomainUserYes.txt
For each activated local group one
txt-file holding the DomainUserNames You want to create as a member of the activated built-in local group on any computer on
Your Network.
Warning: If You activates this ConfigurationRule for the built-in local
Administrators group, the DomainUsers in this file gains total admin-power on
all the computers he/she logins to on Your Network.
|
|
(4-NR)
|
NO: The user on any Computer if DomainUser in £DomainUserNo.txt
For each activated local group one txt-file holding the DomainUserNames You want to remove as a member of the activated built-in
local group on any computer on Your Network.
|
|
Create Reports:
|
|
|
|
When did Your users reboot their com-puters last time
|
Important: You should run this report frequently!
Activating ConfigurationRules doesn’t
really ensure, that the DomainUsers and LocalUsers are created or removed
from the local groups on the W2k-client computers.
All Your activated ConfigurationRules are only run on the computers, when
Your users logins to Your computers, and if You have forced them to run
W2kLocalGroupRights.exe in their LoginScript.
So it becomes important, that Your users logins every day. Use this report to
ensure, that Your users does it. Running the report, You have an apportunity
to make a NET SEND message to the computers, not being rebooted frequently.
You can also run this report by making a shortcut to W2kLastReboot.exe
saved in the log-file directory on Your server.
|
|
Members of local admin group on all compu-ters
|
Here You can find all the DomainUsers and LocalUsers being members of the local Administrators Group on every
W2k-computers attached and running on Your Network.
|
|
Passwords for local adminini-strator on the client computer
|
The local administrators password on Your W2k-clients must be different
for each of Your W2k-clients!
Otherwise any of Your DomainUsers guessing/hacking the password will gain total control over all
of the other W2k-client computers, from his/hers own W2k-client computer.
Because of this security-risk, all Your users running W2kLocalGroupRights-.exe
will have a random password generated for the local administrator. The random password will only be generated if the global Domain Admins group is a member of the local administrators group, and if the random
password can be processed in this report.
This shouldn’t give You any problems, as the global Domain Admins group always is a member of the local administrators group on each W2k-client
computer.
If You want to know the random password generated, then use this report.
You can also run this report by making a shortcut to W2kLocalPassword.exe
saved in the log-file directory on Your server.
|
|
Split following reports if X of first characters in compu-ternames are
identical
|
If You have choosed to arrange Your
ComputerNames starting with the same characters for every department, and
with other same characters for the other departments, You can split the
reports for each department.
Input the number of characters, that are the same for each department.
|
|
Users not granted rights because of the current rules
|
Here You can find all the DomainUsers and LocalUsers that has been removed from the activated local groups on all the computers on Your Network.
|
|
Users granted rights because of the current rules
|
Here You can find all the DomainUsers and LocalUsers that has been created on the activated local groups on all the computers on Your Network.
|
|
Activating / Disabling Configuration Rules:
|
|
|
|
Activate / Disable Configura-tionfiles
|
The 8 txt-files (1-LR) – (4NR) holding ComputerNames, DomainUserNames and LocalUserNames, and the 5 ConfigurationRules (5-HR) – (8-NR), doesn’t work
before You Activates them.
|
|
(5-LR)
|
Every character in ComputerName
identical with LoginName
For each activated local group the DomainUser is created as a member of the activated built-in local group on the computer if
ComputerName is identical with the DomainUsers name.
|
|
(5-HR)
|
Characters (from left) in ComputerName
identical with LoginName
For each activated local group the DomainUser is created as a member of the activated built-in local group on the computer if
the characters (You input) from left in
ComputerName is identical with the charactes
(from left) in DomainUsers name.
Example:
ComputerName = SALES01
DomainUserName= SALESJOHN
Characters =
5
Warning:
If You activates this ConfigurationRule for the built-in local Administrators
group, and You choose a low number of characters, many of Your DomainUsers
can gain total admin-power on all the computers he/she logins to on Your
Network.
|
|
(6-LR)
|
Number of logins before earlier granted
users are removed
For securityreasons the activated ConfigurationRules is only activated from
the second time, the user logins to the computer.
If all Your users always uses their own computer, and nobody uses their
colleagues computers, You should set this ConfigurationRule to 0 (zero).
When users borrows each others computers, they have to make 2 logins each
time they get back to their own computer (before the ConfigurationRules have
effect).
If that is a problem, set this ConfigurationRule for each of the activated local groups.
|
|
(7-NR)
|
NOBODY but the LocalAdministrator and
DomainAdminsGroup
Set this ConfigurationRule for the activated local administrators group if You want to be totally sure, that no other
than members of the global Domain Admins group gains total admin-power on all computers.
|
|
(8-NR)
|
Remove Local users other than LocalAdministrator and DomainAdminsGroup
Warning: Setting this rule for the activated local Guests groups, You will remove the local guest user from the local Guests group.
|
|
User Contact:
|
Write Your occupation, name and phone
number here, because this will be used in messages to Your users.
|
|
Path on server:
|
Input the local hard disk drive letter
on the server, where You want the log-files to be created (same place as
W2kLocalGroupRights.exe)
|
|
ServerName
|
Input the servers name in Your domains
Server Manager preceded with \\
|
|
Servers DomainName
|
Input the DomainName where the server is
installed.
|
|
Built-in local groups:
|
|
Administrators
|
Members of this local
group have full control over the computer. It is the only built-in group that
is automatically granted every built-in right and ability in the system.
|
|
Backup Operators
|
Members of this
local group can back up and restore files on the computer, regardless of any
permissions that protect those files. They can also log onto the computer and
shut it down, but they cannot change security settings.
|
|
Guests
|
This local group allows occasional or
one-time users to log on to a copmuters built-in local
Guest-User and be granted limited abilities. Members of this local group can also shut down the system.
|
|
Replicator
|
This local group
supports directory replication functions. The only member of this local group should be a DomainUser
used to log on the Replicator services of the domain controller. Do not add the
DomainUsers of actual users to this local
group.
|
|
Power Users
|
Members of this
local group can create local UserNames, but
can only modify and delete their own local
UserNames. They can create local groups and
remove local users from their own local groups.
They can also remove local users from the local Power Users, local
Users, and local Guests groups.
They can’t modify the local Administrators or
local Backup Operators groups, nor can they
take ownership of files, back up or restore directories, load or unload
device drivers, or manage the security and auditing logs on the computer.
|
|
Users
|
Members of the Users group can perform most common
tasks, such as running applications, using local and network printers, and shutting
down and locking the workstation. Users can create local groups, but can
modify only the local groups that they created. Users cannot share
directories or create local printers.
All new Local Users
created are added to this group.
|
