Started looking at what a Windows domain looks like from an end users perspective in a Windows 2003 based domain and comparing that with our Novell setup.
Firstly, I followed the default setup discribed in most Windows books with security settings discribed in M$’s guidelines. This produces two shares, one which holds users profiles, and the other which holds the redirected folders for My Documents, Desktops etc. Both shares are setup to allow automatic creation of folders for profiles & redirected folders, which means that anyone can use the same shares to create their own folders – pretty poor – in order to mitigate against this, I presume I would have to create the relevent folders by hand, grant appropropriate permissions so that the user only has access to their own folders. On the redirected folder share it is also possible to drill down one additional level to see which folders have been redirected. This contrasts with Novell’s setup where users can only see folders which they have rights to see. In our Novell setup the P: drive contains both the profile and redirected folders – the only places users can create folders and files is P:\ and below and they can’t even see other users folders unless rights are specifically changed.
From the end users perspective, they just see the normal folder structure (on XP) My Documents etc, but all the files are flagged with a ”sync” icon, presumably therefore a setting needs to be enabled (for students at least) to not mirror “My Documents” locally otherwise a student PC will be slow to login and logout and will be leaving trails of documents on local drives all over the place. Need to set “Do not automatically make redirected folders available offline” in the user’s GPO (Admin Templates, Network, Offline Files) – this also gets rid of the “sync” icons…
Meanwhile also had a stab at IIS to allow access to users home directories via the web. Essentially you can browse your home directory as a web site (so no uploads) or open it as a webdav folder. In order to reduce the number of web sites created you have to point a directory above and allow users to browse down. In my test example I did this for a department – for students it would be difficult as you’d be looking at a folder with several thousand users in! Again it’s possible for users to create folders and upload files based on the default (recommended?) permissions. So Webdav is not as convient in some contexts – e.g. in an internet cafe? – but otherwise works well IF you create separate web sites for each user – unacceptable!?
What’s clear is the security system on Windows is rubbish compared with Netware with more opportunanities for mistakes to be made. Also the default setup is terrible – allowing users to create folders and files what should be a tightly controlled area is appalling.