ICT Management. > Strategy & Planning, Making Policies & Best Practice

Managing users and computers on a Windows network

By Ray Smith

Network security and reliability is a level of management control that is commonly left to the IT technician employed to set up the system. This article provides a non technical overview of how setting-up Windows Server to reflect your organisation’s structure can improve IT service reliability and security.

In smaller organisations, the Windows Server network is, typically, set up by third party IT technicians with minimal consultation with the client about how it should be configured.

Sometimes techies can’t be bothered to explain the available options to non-technical management and go for a ‘default’ setup that allows most users to do most things. Equally, managers are often not inclined to display their ignorance by asking questions and accept that, as long as everyone in the network is ‘connected’ then the job is done.

Matching your network installation more exactly to the needs of the organisation can offer major benefits throughout the lifetime of the computer system. Staff within your organisation are the ones who understand how the business operates and have a key role in communicating their requirements to the technical people to implement.

This doesn’t need a deep understanding of how the Windows operating system works. A good IT technician should be able to advise on what is practical and reflect your organisation structure in the configuration used when setting up the system.

The tools available in Windows Server

At risk of making Microsoft Certified Engineers wince, here, in lay terms, is what technicians have to play with: 

Active Directory

The overall structure of the computer system, the relationship between multiple servers and sites and details of all the connected computers, printers and users is held in an internal Windows Server database called Active Directory. 

Every user has a profile which defines:

• What resources they can use in the network
• Where their personal filing space is
• Which folders they are allowed to access
• What they can do with the files they can see and
• What their own computer desktop looks like on the screen. 

If the system includes Microsoft Exchange Server, then there are further configuration options concerning e-mail setup and restrictions which work, effectively, as an extension of the user profile. 

Group Policy

Many of these settings can be applied to a whole group of people or computers using a facility known as Group Policy, which can save a lot of time when setting up new users or making changes that affect a group of users.

For example, you might have an ‘accounts’ group of computer users who need to access financial software and data. An appropriate set of rights and permissions can be established for that group which excludes other personnel from accessing the accounts services. New accounts users will automatically inherit all the appropriate settings by simply being joined to that group.

Similarly, a ‘personnel’ group might be set up for HR staff. Managers may need the same level of access as ‘accounts’ users to financial software but be able to access ‘personnel’ services as well. The ‘managers’ group could reflect this.

What you can control through Profiles and Group Policy.

• Allocating an appropriate level of access to software applications for every user sharing computer resources. 
• Controlling the ability of users to read/copy/move or delete documents or folders.  Senior staff have been known to resort to keeping work on local disk drives or memory sticks to avoid ‘snooping’ by network users. They then run the risk that these files are missed by the corporate backup system and lost in the event of computer failure. Controlling this through Group Policy is a better approach.
• Managing the way users’ logon passwords are set up. Setting minimum standards of complexity and imposing regular refreshing of passwords. 
• Setting limits to the size of mailboxes or message attachments so that sloppy mail management doesn’t lead to a ballooning file store.
• ‘Locking down’ computers by restricting the range of activities they can perform. You can prevent software applications from being added or deleted without authorisation and restrict the options available in program menus.
• Establishing ‘roaming profiles’ which enable users to logon at any computer in the network and see their own personal desktop. 

What you need to tell the techies

Now you have an overview of what’s possible. The next step is to let the techies know:

• How is the business organised into teams and departments and who are the members of these teams?
• What level of access to specific applications and files does each type of user need?
• Do individual users need to log on to more than one computer (possibly in different offices) as part of their role?
• What level of system security is appropriate to your organisation; are there some highly sensitive applications containing personal data for example?
• Are there particular problems with providing a computing service to less-skilled, remote or part-time users that need to be addressed?
• What are acceptable size limits for users’ mailboxes?  has the mail system become slow or unreliable because of the quantity of messages stored? 

Make sure you discuss all this with the people undertaking the installation; preferably before they arrive on the day. You can improve the smooth-running of the operation, enhance security and consistency and cut down on IT support costs if you can avoid having to apply rules and constraints on a user by user basis in response to events as they occur.

While installing a new system you have the best opportunity to consider a radical review of the setup but there is no reason why you cannot apply some of these features to an existing system if some short-term disruption is acceptable to achieve a long term improvement. 

A word of caution

Windows Server is a wonderful toy box for engineers to play with. You can end up with a system so ‘locked down’ that every new piece of software or small change in procedures needs a technician to come in and make it work. This is irritating for users and can be a significant cost if you depend on external support. The trick is to find the happy compromise that is productive without being oppressive.

Implementing roaming profiles over a wide area network (i.e. between remote offices) can give rise to performance problems and may be unworkable when desktop computers are using different versions of Windows.

Case Study

A charity helping clients with drug dependency problems had around 70 staff, half of whom were part-time ‘field’ workers, who used the computer system infrequently but needed access to email, some word processing and a client record database. Many of these workers had limited computer skills and staff turnover was quite high so IT training was a significant ongoing overhead. There was also concern about the very sensitive nature of the data to which they had access.

These issues were discussed before installation of a new Windows Server-based system and it was decided to lock down the service as far as possible, based on user profiles. A high complexity user password needing regular refreshing was imposed and users were restricted to directories containing specific applications that they needed. By setting rules using Group Policy it was possible to customise settings for a whole group of users in one operation. 

By using roaming profiles, field staff were able to logon to any of a small group of shared workstations while in the office and have access to their personal resources like email and a standard desktop view.  

These measures enabled users with variable computer skills to be given access to applications they needed without a major training investment and without compromising the integrity and security of the system for other users. It also improved the utilisation of equipment and space because part-time workers were able to share a small ‘pool’ of workstations.

Managers felt more confident and in control of the computer service through understanding the way the rules were being applied and appreciating what tools could be deployed to overcome operational problems.