Configuring 2k3 server

[+BudMan MVC]

When did I say any different? But your laptop is not always on a trusted network for example ;) On the job you might visit customer networks, vendor networks, any sort of wireless network you might to use - they don't all use client isolation, and your not always behind router to the internet, etc.

Another example when users take their work laptop home and plug it into their cesspit of viruses and worms they call a network.

Sometimes your trust border gets shrunk down to your machines interface -- so unless your going to carry around a hardware firewall with you all the time... It some cases you need to be able to use the network but block access to services that normally run on your machine from that network.

Now true you could always just make sure these services are turned off when not on your trusted network -- but that can be PITA to do, easier to just have a software firewall block those ports when not on a trusted network.

[sc302 Veteran]

When did I say any different? But your laptop is not always on a trusted network for example ;) On the job you might visit customer networks, vendor networks, any sort of wireless network you might to use - they don't all use client isolation, and your not always behind router to the internet, etc.

Another example when users take their work laptop home and plug it into their cesspit of viruses and worms they call a network.

Sometimes your trust border gets shrunk down to your machines interface -- so unless your going to carry around a hardware firewall with you all the time... It some cases you need to be able to use the network but block access to services that normally run on your machine from that network.

Now true you could always just make sure these services are turned off when not on your trusted network -- but that can be PITA to do, easier to just have a software firewall block those ports when not on a trusted network.

solution: disable their network cards, give them a 3g/4g card, disable their access to the 3g/4g software, when they launch the vpn connection it auto connects to the wireless provider then connects to the vpn (how my cops connect to the network using laptops in their cars). f the software firewall crap, use the internet when connected to the vpn. It is company property.

[+BudMan MVC]

That solution works for you - but not all companies are going to give 3g cards to all their laptop users. Also thats a bit costly for home users ;) Ie my son's laptop when he is connected to his schools cesspit which he needs access to - so even if I gave secure option to the internet. This is not always an option - also you can not always disable the network card. You need to access a customer network to do some work for them, they use the network card at work -- how do you stop them from plugging this into their home cesspool? etc.

Not sure why we are even debating this -- I agree with you ;) But in some cases the need of a software firewall comes into play - are they all made equal, no -- many of them are CRAP! And most of these antivirus companies should stick with antivirus.. Not a fan of the combined "suites" at all.

99.99% of the time the firewall that comes with your OS should be enough - simple enough to use. Block inbound unrequested traffic to services listening on my machine unless I allow it sort of thing. When connected to an untrusted network - this should be default action, etc.

Disable when connected to domain, not connected to domain - then firewall on disable all inbound traffic. etc. etc.

BTW - another place that firewalls can get installed, that can cause users issues is vpn clients.. For example cisco vpn causes issues all the time for users, since they don't understand it has its own firewall that can conflict with your standard windows one.

[sc302 Veteran]

Thanks for agreeing. can we somehow patition that these security companies stop with the software firewalls included in their all in one products? really it is a pita to work around esp when there is no consistancy between brands. some you have to really dig to find the custom area to manually configure ports others is right there in the open, others give you a generic few, and others give you unnecessary features that do absolutely nothing other than give you grief. What gets me is that the average user buys into this as better or best security, when they don't even know wtf they have in the first place.

[+BudMan MVC]

Preaching to the choir their buddy!

[sc302 Veteran]

Preaching to the choir their buddy!

I know, but can't we do something about it.

[+BudMan MVC]

Like what?? Other than informing the users we deal with not to install software they do not understand and do not know how to configure -- there is NO way your going to get the software companies to stop their practices - no matter how much we might not like them.. Selling users crap they don't need is a HUGE CASH COW!!

Your pet peeve might be software firewalls - mine is partition managers ;) There are how many on the market? Selling for like $50 a pop - I just don't get it, these tools are needed by maybe 0.0001% of the users. When 99.99999% of what a normal user needs to do with their partitions is more than handled by the built in tools they already have access too. Does not matter what OS your talking about, windows, linux, bsd, beos -- every OS on the planet can create/delete partitions and format them with a filesystem they can use, etc.

Yet pretty much every single thread you get where a user even mentions partition, and you get some parrot touting they need partition manger this, or wizard this -- when the poster has not even given a clue to what they want to do.. But mention partitions and a vast amount of users "think" they need some 3rd party tool to handle it - be it one they fork over $50 for something they might do once in the life of the machine that the built in tools can do, or even if somewhat non standard thing - there are most likely 10 free tools that could accomplish the task, or some other way to skin the cat without any other tools.. ie take an image of your OS, or just plain reinstall -- freaking heck users quite often reinstall on a drop of a hat, there's icon missing or out of place -- reinstall! ;)

But when it comes to wanting to do something with their partitions -- oh man I need to buy or warez some "magic" software so I can create a freaking partition.. How many users do you see that think they need 3rd party tool to create a freaking linux partition.. Blows my mind -- WTF do not think a OS can create its own partitions and filesystems?? :blink:

Now you got me a million miles off topic and ranting about partition managers ;) heheheeh Way to Go!

[sc302 Veteran]

What I do best. I am a thread derailer. Be glad it still is tech, I am sure I could find a way to incorporate boobs, tatas, nipples, or breasts into this and people posting pics of such.

[+BudMan MVC]

What about our discussion about what burger you had, and what was on it ;) heheheh --- I could not sleep until I got the details on that :rofl:

[sc302 Veteran]

lol....mmmm........rofl

[sc302 Veteran]

did you ever find out and cheats for texas holdem for the black berry. I believe what i linked to was a April Fools joke.

[+BudMan MVC]

yeah that was a JOKE.. No I didn't find any cheats ;) But Im currently on a roll -- have over 240K in cash, won quite a few single table tournaments, and just recently hit a 5K buy in 15 table for 150K.

Currently working on winning World Series, like 97 players left out of 5k and have 1.5 mil in chips!! So looking good to finish REAL high if not out right ;) Freaking blinds are 5k/10k currently.

[anderground]

What I do best. I am a thread derailer. Be glad it still is tech, I am sure I could find a way to incorporate boobs, tatas, nipples, or breasts into this and people posting pics of such.

lolll, go ahead, i (as the 'owner' of the tread) don't mind :laugh:

i would ask what does "users" of 2k3 actually mean ?

i mean if i join (add) a comp to the domain, does it mean that all user accounts of that comp have access to server?

or, can i add a user without coresponding computer to the domain? :blink:

[sc302 Veteran]

lolll, go ahead, i (as the 'owner' of the tread) don't mind :laugh:

i would ask what does "users" of 2k3 actually mean ?

i mean if i join (add) a comp to the domain, does it mean that all user accounts of that comp have access to server?

or, can i add a user without coresponding computer to the domain? :blink:

when you add a computer to the domain, local users are local users and can only access local computer settings, domain users can logon to the pc and use domain resources. they are 2 totally different types of users. when adding new users you add them to the domain. by default anyone in the domain users group can logon to a pc.

[anderground]

when you add a computer to the domain, local users are local users and can only access local computer settings, domain users can logon to the pc and use domain resources. they are 2 totally different types of users. when adding new users you add them to the domain. by default anyone in the domain users group can logon to a pc.

hi 302 and thanks.

does a domain user have to have a corresponding user account on a domain member client computer.

for example, if there are only users 'mike' and 'peter' on a local comp, could the user 'john' who is a member of the domain, access server through that local comp, if he's logged in the local comp as 'mike' who is not a member ?

edit:

"by default anyone in the domain users group can logon to a pc."

which pc ?

if some local client, how so if that user doesnt have his account on that pc?

[sc302 Veteran]

hi 302 and thanks.

does a domain user have to have a corresponding user account on a domain member client computer.

for example, if there are only users 'mike' and 'peter' on a local comp, could the user 'john' who is a member of the domain, access server through that local comp, if he's logged in the local comp as 'mike' who is not a member ?

edit:

"by default anyone in the domain users group can logon to a pc."

which pc ?

if some local client, how so if that user doesnt have his account on that pc?

"does a domain user have to have a corresponding user account on a domain member client computer."

no this would make administrating a network a absolute nightmare and would never ever fly. A domain user account is completely seperate. As a matter of fact the only user on any of my computers on any of my networks is the "administrator". There are no other user accounts on the local pcs.

"for example, if there are only users 'mike' and 'peter' on a local comp, could the user 'john' who is a member of the domain, access server through that local comp, if he's logged in the local comp as 'mike' who is not a member ?"

john would logon as john. he would not logon as mike or peter, this would be a security risk. no admin in their right mind would allow this to happen.

"which pc ?

if some local client, how so if that user doesnt have his account on that pc?"

when you join a pc to the domain several things happen. first it gets added to the active directory and is granted rights to be a member of the network within active directory, then the Domain Users group gets added to the Users group on the pc and Domain Admins gets added to the Administrators group of the pc. When you add a new user in Active Directory, the new user is automatically added to the Domain Users group. This gives the User that you just created access to a pc that has been joined to the Active Directory Domain.

[anderground]

so, it means, there's no that logon screen (with all users on it) when domain member pc is booting up (as it's the case with workgroup computer) ?

/i have just 1 user on my testing pc's so i wasnt able to check it myself, but im gonna open 1 more user account on one of them, im curious :)/

[anderground]

i have tried to add a new (Restricted) user account to the client xp machine and got this:

This user could not be added because the following error has occured:

The trust relationship between this workstation and the primary domain failed.

and when i tried to add a Standard user:

... could not be granted Standard user access because

testdomain1.local/user2 does not exist

so does it mean that i have to join that user to the domain prior to creating its account on the client pc ?

[sc302 Veteran]

so, it means, there's no that logon screen (with all users on it) when domain member pc is booting up (as it's the case with workgroup computer) ?

/i have just 1 user on my testing pc's so i wasnt able to check it myself, but im gonna open 1 more user account on one of them, im curious :)/

you have to ctrl+alt+del. you can either signon with domainname\username or you can sign on with username@fqdn you do not click on a user to logon with, you have to type it out.

it will be easier if I show you. mind if we do a quick remote session?

I pm'd you with instructions.

[sc302 Veteran]

pm me when you are ready. there is something you are not understanding. It will be so much easier for me to show you. I am walking away to spend a little time with my wife and kid. I will be available in another hour. you can open that link i sent you and hang out in there for a bit. it is just a chat room between you and i.

[anderground]

pm me when you are ready. there is something you are not understanding. It will be so much easier for me to show you. I am walking away to spend a little time with my wife and kid. I will be available in another hour. you can open that link i sent you and hang out in there for a bit. it is just a chat room between you and i.

ok im there (you helped me once already, so i know the procedure :) )

[sc302 Veteran]

back again...

[anderground]

i want to once again say thanks to sc302, because i only now understand the concept of server user. (Y)

i have a couple of questions:

1) when i'm logged as a server user (through a client pc) in the list of installed programs /AllPrograms/ some progs are missing (for instance CCleaner). ?

2) the user is not allowed to access system folders nor to install programs, but it's allowed to update antivirus prog ??

[+BudMan MVC]

"1) when i'm logged as a server user (through a client pc)"

You mean a domain account ;)

As to them missing things on their start menu, sure -- they have their own profile.. Just like local accounts. Every account on a machine will have its own start menu.. Notice when you install software it asks to install just for you or everyone on machine.. This determines where it places the start menu items.. You can always copy, create whatever menu items you want. You have Default user and All users profiles to use for what gets placed into new profiles by default, and what all users have access to.

"2) the user is not allowed to access system folders nor to install programs"

Just like local accounts, NTFS permissions and user rights come into play -- by default when a box joins a domain, domain users are not placed into the ADMINS group on that local machine - they would be just normal users. So yeah they are not going to have limited permissions. You give user accounts permissions or rights to what you want on a machine by adding them to the different groups or and or adding their accounts to specific rights on the machine with the local security policy or now that members of a domain - you can assign rights at the domain level, etc.

Or you can always set the NTFS permissions on a folder, etc. This is no different than with local accounts, but when a machine joins a domain - you can now pull accounts from the central user database that is the domain, vs just accounts on your local machine. By default the domain admins group would be admin on the box, and domain users would be users.. You can change these how you see fit.. But I would not suggest giving domain users admin rights on a machine.

[anderground]

got it (Y)

thanks a lot BudMan