Granting access permissions

You need to assign users the appropriate permissions to perform daily tasks, such as accessing the Internet, shared files, your internal Web site, or e-mail. Assigning users more permissions than necessary to complete their task can result in inadvertent deletion of important files or unintended access to an Administrator account, and can then control the network and cause damage. Thus, it is strongly recommended that you assign only the permissions that users need to perform their jobs.

Windows Small Business Server 2003 provides predefined user templates to help you assign the appropriate level of access when creating user accounts, as shown in the following table.

 

Template name Access based on template type

User

Has access to network printers, shared folders, fax devices, e-mail, and the Internet.

Mobile User

Has all permissions from the User template, plus can also connect to the server over dial-up or VPN connections.

Power User

Has all permissions from the Mobile User template, and can also manage users, groups, printers, shared folders, and faxes. Power users can log on remotely to the server but cannot log on locally.

Administrator

Has unrestricted access to the server and the domain.

Each user account based on a user template is granted a specific level of access to network resources. Using these templates helps ensure that users receive only the minimum level of access they need. For example, user accounts that are based on the User template do not have remote access to the local network by using a virtual private network connection, but user accounts based on the Mobile User template do have this access. Therefore, if you want a user to have remote access to the local network, you can create the user account based on the Mobile User template. You can also create your own user templates to specify custom settings.

If a user on your network wants administrative permissions but does not need them for daily tasks, you can assign the user a typical user account based on the User template for daily tasks, and a second account in the Domain Administrators group, for unrestricted access to the domain for specified situations.

Important

  • Because user accounts based on the Administrator template are very powerful, it is recommended that you do not create user accounts based on the Administrator template unless absolutely necessary.
  • It is recommended that you assign permissions to resources on the local network, such as shared files and folders, or line-of-business applications. For more information about assigning permissions to shared folders, see "Set permissions on a shared resource" at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=53417).

Community Additions

ADD
Show: