El Ejecutivo en la Constitución de 1824

You’ll find creating the Installers group easiest while sitting at a domain controller:

1. Log in using an account with domain administrator rights and then start the Directory Service Administrator DSA.MSC _{by clicking Start/Administrative Tools/Active Directory Users and}

Computers. In the left pane, you’ll see an icon representing your domain with a plus sign next to it; click the plus sign to expand the domain.

2. Next, create the Installers group. Right-click the Users _{folder and choose New/Group.} 3. That raises a dialog box called Create New Object–(Group). In the field Name of New

Group, type in Installers. This will create a global group named Installers, which is what you want, so click OK and the dialog will close.

4. Back in the DSA’s menu, click View/Advanced Features. That will show the Security tab on the properties page, which will be essential to give Installers the permissions that it needs. 5. Next, you’re going to give the Installers group the ability to create new computer accounts

and by default computer accounts go in a folder labeled Computers_{, so right-click the folder,}

icon labeled Computers _{and choose Properties. You’ll get a dialog box named Computers}

172 CHAPTER 5 SETTING UP AND ROLLING OUT WINDOWS SERVER 2003

6. Click the Security tab in the properties page. Installers doesn’t currently have any permissions, so you’ll need to add a record for them. Click the Add button and you’ll now see a dialog named Select Users, Computers, or Groups.

7. Type in Installers and then, just for good measure, click Check Names. It’ll think about it for a second. Once it’s checked that there is indeed a group called Installers, Installers will be underlined. Click OK.

8. Back in the Computer properties page, find Installers in the Name list box and click it, then click the Advanced button.

9. You’ll see a dialog box labeled Advanced Security Settings for Computers. Again, locate Installers—this part of the operating system isn’t intended for regular old users, so the UI’s a bit convoluted here—to indicate the Installers record that you created. It’ll currently have some very basic permission like Read or the like. Click the Edit button.

10. Now you’ll see a dialog named Permission Entry for Computers. Scroll down in the list box labeled Permissions to find the Create Computer Objects permission. You’ll see two columns of check boxes, one labeled Allow and the other Deny. Check the Allow box. Click OK to clear the Permission Entry for Computer Objects dialog box.

11. That permission made the folders accept the new machine objects. But once created, Installers have very limited control over the machine accounts themselves. They can delete or modify machine accounts, but only the ones that they created. Now, if you only want users to have the power to reset machine accounts that they created, you can stop here and skip down to step 14. But if you want Installers to be able to reset even machine accounts that they did not install, then let’s keep going. From the Access Control Settings for Computers dialog box, click Add, choose Installers again, and click OK. The Permission Entry forComputers dialog box then appears.

12. Click the Apply Onto drop-down list box and choose Computer Objects. Check the Allow box next to the Write All Properties, Change Password, and Reset Password permissions. In the lower left corner of the page, check the box that says Apply These Permissions to Objects and/or Containers within This Container Only. Click OK and you’ll return to the Advanced Security Settings for Computers dialog box.

13. Scroll down in the Permission Entries list box and you’ll see that there are now two or five new entries for Installers, depending on how much power you decided to give Installers.

14. Click OK to dismiss the Advanced Security Settings dialog box. 15. Click OK to dismiss the Computers properties page.

Now that that’s done, you can put Joe into the Installers group: 1. Open the Users _{folder and locate the Installers group.} 2. Right-click Installers and choose Properties.

3. Click the Members tab. 4. Click the Add button.

INSTALLING SERVER 2003 WITH REMOTE INSTALLATION SERVICES 173

Finally done. Yes, that was a bit of work, but worth it in the end, I think.

Restricting RIS Image Choices

Once you turn Joe loose with that floppy, you might not want him accidentally loading the wrong image. He might just decide that he’d love to download the Programmer’s Workstation image, complete with the C++ and Java compilers, interactive debuggers, and the like—none of which he has any use for. You can, as it turns out, keep him from seeing all of the images on the RIS server. But you’d never guess how you do it.

The RIS server has a set of directories that exist in \RemoteInstall\Setup\English\Images_{. If you’ve}

got a simple I386 _{installation called} Windows_{, then its image is in} \RemoteInstall\Setup\English\ Images\Windows_{. Each RIS image, then, has a directory inside} \RemoteInstall\Setup\English\Images_;

remember that.

Each image contains a folder named I386_{, which contains yet another folder named} Templates_{. That}

folder contains a file named with the extension .sif_{. It’s an answer file that RIS uses to be able to do the}

installation without any user intervention. So, for example, if you have an image called Programmers, there’s an SIF file in \RemoteInstall\Setup\English\Images\I386\Templates_.

The way that you keep Joe out of the Programmers image is to set the NTFS permissions on the SIF file so that he’s denied Read access. Once RIS sees that he’s not supposed to see the file, the Programmers image won’t even be offered to him.