What is the best / preferred way to configure a corporate laptop for
both internal and external usage?

Is it best to configure the laptop with only local computer accounts
and then force the user to attach to shares using their network
username / password when they return?  Or, is it best to configure the
laptop with a proper machine account, in the domain, and then logon
using that account?  If I add the machine to the domain, then what user
account will the machine use when they are disconnected (a cached
version of the domain user, I hope)?

Sorry for the newbie'ish question.  I've always used the former of the
two, but I am looking for opinions.

Thanx,
Ryan

Show quote Hide quote Ryan,

You have several issues here.
1) How to authenticate to the laptop, when logging in to its desktop.
2) How to authenticate from the laptop, to other resources.
a) When connected to the domain.
b) When connected to other networks.
3) How to connect to the laptop, from other computers.
a) When connected to the domain.
b) When connected to other networks.

How much time, proportionally, will the laptop be used:
1) On the domain.
2) On other networks (and how many other networks)?
3) Standalone (Internet cafe, public library)?

What are the security policies of the domain?  How secure are the other
networks?

Is this a single laptop?  Are there other laptops being used?  Are there other
laptops being used, without thought to these details?

I don't think that this is a quick question to answer.  It may be fun discussing
the details though.

All good questions... just don't have a lot of time, unfortunately.

I have just taken over for someone for someone else, but generally all
laptops are configured the same... each laptop DOES have a computer
account within the domain, each has TWO sepearate accounts... one local
user account with admin-level access and one domain account.  Users are
logging in with the domain account when they are present and the local
when they are away from the office.

Until I arrived, security was non-existent.  Everyone had full control
over every resource on the domain and there was one HUUUUGE login
script to individual map every share and printer to every user, one by
one.  All user passwords are set to "Never Expire" and there is no form
of strong passwords in place.  Needless to say, this is changing.

Users no longer have full control to anything.  Security is now setup
properly at a resource / group level.  And, lastly, users do not have
admin level access on their machines.

Now, to answer your questions...

Generally, laptops are used 50/50 in the office an outside, on service
calls by our techs.

No other networks, other than a user's home network if they so choose
(not concerned there).

The 50% that is used outside of the office is generally used in a
disconnected manner.

At this point, domain security is at a resource level, more than
anything.  There is the conventional PDC/BDC setup, but I am trying to
ease this non-tech company into a proper environment.

Assume any network the laptop connects to, outside of our own, is
completely insecure.

Half of our machines are laptops and all have the same concerns.  I am
beginning to rebuild the first today, which is why I am finally
thinking of these items in detail.

Overall, the goal is the following...

     1. Users should only have the access they need to use their
machine and not more;

     2. While in the office, they do have access to the domain
resources (PDC, etc.);

     3. Preferably, they will use the same account while disconnected
and away from the office; and,

     4. These are non-tech users so simplicity is key.

That got the creative juices flowing?

Thanx,
Ryan



Chuck wrote:
Show quoteHide quote

Network sharing for only certain users - WinXP Pro
Home network only allows one-way traffic
Wireless networking questions
Connectivty on home network
Restrict Wireless Client to only our network
Can't connect to computers in my workgroup
How do i keep my XP Home computer awake
downloads crashing computer?
New Year MSIE 7 Conundrum
Sharing printer problem