Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   NZ Computing (http://www.velocityreviews.com/forums/f47-nz-computing.html)
-   -   Mandatory Profile Question (http://www.velocityreviews.com/forums/t568910-mandatory-profile-question.html)

Matthew Strickland 12-16-2003 03:23 AM

Mandatory Profile Question
 
Hi all,

I think im turning into Woger.... help! Simple question, a simple answer I
hope...

Ive setup a single mandatory profile and set some users to point to it.
Seems to work. Ive also setup folder redirection (Desktop) for a group of
PC's (loopback processing enabled in an OU container of PC's) and thats ok.
But when I remove the users from the 'Domain Admins' group, there is no
're-direction'. Desktop comes up with I assume, 'default user' from the
client machine. (Note: there is no desktop folder in the mandatory profile,
I want to use folder redirection so it has been deleted)

I assume its something to do with restrictions on the local/client machine?
Its formatted in NTFS. As in it cant cache it locally (no rights) so it
aborts and uses the client one?
(I quickly tried adding 'everyone' full rights to the 'documents and
settings' folder on the client - then removing it from the subfolders where
its not needed) - still didnt work.

2k server with 2k pro clients. I need maximum security (school situation) so
no admin rights local/server.

Ideas?

Also If I adjust the security so users cannot 'delete' the mandatory profile
I assume this wont affect it?? (as in read only)

M



AD. 12-16-2003 04:55 AM

Re: Mandatory Profile Question
 
On Tue, 16 Dec 2003 16:23:16 +1300, Matthew Strickland wrote:

> Ive setup a single mandatory profile and set some users to point to it.
> Seems to work. Ive also setup folder redirection (Desktop) for a group of
> PC's (loopback processing enabled in an OU container of PC's) and thats
> ok. But when I remove the users from the 'Domain Admins' group, there is
> no 're-direction'. Desktop comes up with I assume, 'default user' from the
> client machine. (Note: there is no desktop folder in the mandatory
> profile, I want to use folder redirection so it has been deleted)
>
> I assume its something to do with restrictions on the local/client
> machine? Its formatted in NTFS. As in it cant cache it locally (no rights)
> so it aborts and uses the client one?
> (I quickly tried adding 'everyone' full rights to the 'documents and
> settings' folder on the client - then removing it from the subfolders
> where its not needed) - still didnt work.


What happens if you leave the Desktop folder in the profile but use
redirection to 'override' it?

If the redirection problem is permissions based (might not be), have you
also checked th registry permissions. I only say that because the OU is
a computer one, so the intended registry changes might be being applied to
somewhere where they need some admin rights? Just guessing.

What happens if you apply the redirection via a User OU? Do you still need
admin rights then?

Don't bite the Linux user, it's been I while since I have researched or
done this stuff :)

Cheers
Anton

Matthew Strickland 12-16-2003 05:09 AM

Re: Mandatory Profile Question
 
Hi Anton,

Not biting the Linux user :) Thanks for your input.... Ive got more info
that might change things.

It seems that the mandatory profile takes over from the re-direction. If I
create a 'Desktop' folder in the mandatory profile, thats the one that is
pushed to the client, instead of the redirected one. :(

Ok I can handle this, so I did more research and discovered you can "Exclude
directory in roaming profile" - WOW this is what I want... guns blazing, I
excluded 'Desktop' and 'Start Menu' in the User OU. Logged into the
client... nope, still the mandatory profile 'desktop'

I then applied the exclude directory to the whole domain (the domain OU) to
see if somehow it was being over-rided in the user OU, but no, same results
again.

Ill research a bit more about roaming profiles (mandatory ones) AND folder
redirection when I get home.

Matt



Dumdedo 12-16-2003 06:16 AM

Re: Mandatory Profile Question
 
On Tue, 16 Dec 2003 16:23:16 +1300, "Matthew Strickland" <nospam@nospamme.no>
wrote:

>Hi all,
>
>I think im turning into Woger.... help! Simple question, a simple answer I
>hope...




No you need Brains to be a Woger..


>Ive setup a single mandatory profile and set some users to point to it.
>Seems to work. Ive also setup folder redirection (Desktop) for a group of
>PC's (loopback processing enabled in an OU container of PC's) and thats ok.
>But when I remove the users from the 'Domain Admins' group, there is no
>'re-direction'. Desktop comes up with I assume, 'default user' from the
>client machine. (Note: there is no desktop folder in the mandatory profile,
>I want to use folder redirection so it has been deleted)
>
>I assume its something to do with restrictions on the local/client machine?
>Its formatted in NTFS. As in it cant cache it locally (no rights) so it
>aborts and uses the client one?
>(I quickly tried adding 'everyone' full rights to the 'documents and
>settings' folder on the client - then removing it from the subfolders where
>its not needed) - still didnt work.
>
>2k server with 2k pro clients. I need maximum security (school situation) so
>no admin rights local/server.
>
>Ideas?
>
>Also If I adjust the security so users cannot 'delete' the mandatory profile
>I assume this wont affect it?? (as in read only)
>
>M
>



Enkidu 12-16-2003 07:52 AM

Re: Mandatory Profile Question
 
On Tue, 16 Dec 2003 16:23:16 +1300, "Matthew Strickland"
<nospam@nospamme.no> wrote:
>
>Ive setup a single mandatory profile and set some users to point to it.
>Seems to work. Ive also setup folder redirection (Desktop) for a group of
>PC's (loopback processing enabled in an OU container of PC's) and thats ok.
>

I confused. If you are using folder redirection you must be using
GPOs, right.
>
>But when I remove the users from the 'Domain Admins' group, there is no
>'re-direction'.
>

But GPOs don't have anything to do with security groups.
>
>Desktop comes up with I assume, 'default user' from the client machine.
>(Note: there is no desktop folder in the mandatory profile,
>I want to use folder redirection so it has been deleted)
>

Presumably you are creating a profile, renaming it to .man and then
using GPOs to make sure that everyone is using that profile?

>I assume its something to do with restrictions on the local/client machine?
>Its formatted in NTFS. As in it cant cache it locally (no rights) so it
>aborts and uses the client one?


Is your GPO being applied?

>(I quickly tried adding 'everyone' full rights to the 'documents and
>settings' folder on the client - then removing it from the subfolders where
>its not needed) - still didnt work.
>
>2k server with 2k pro clients. I need maximum security (school situation) so
>no admin rights local/server.
>
>Ideas?
>
>Also If I adjust the security so users cannot 'delete' the mandatory profile
>I assume this wont affect it?? (as in read only)
>

It shouldn't.

Cheers,

Cliff
--

The complete lack of evidence is the surest sign
that the conspiracy is working.

KS 12-16-2003 09:45 AM

Re: Mandatory Profile Question
 
> No you need Brains to be a Woger..

Isn't it a bit early for April fools' day jokes ?



Chris 12-16-2003 10:46 AM

Re: Mandatory Profile Question
 
"KS" <ivabiggun@hotmailnospam.com> wrote in
news:brmk7e$38t$1@lust.ihug.co.nz:

>> No you need Brains to be a Woger..

>
> Isn't it a bit early for April fools' day jokes ?
>
>
>


No, he was late.....

Uncle StoatWarbler 12-16-2003 10:58 AM

Re: Mandatory Profile Question
 
On Tue, 16 Dec 2003 19:16:01 +1300, Dumdedo wrote:

> No you need Brains to be a Woger..


Need brains - "night of the living dead" style



Jax 12-16-2003 07:04 PM

Re: Mandatory Profile Question
 
>>Ive setup a single mandatory profile and set some users to point to it.
>>Seems to work. Ive also setup folder redirection (Desktop) for a group of
>>PC's (loopback processing enabled in an OU container of PC's) and thats ok.
>>

>
> I confused. If you are using folder redirection you must be using
> GPOs, right.
>
>>But when I remove the users from the 'Domain Admins' group, there is no
>>'re-direction'.
>>

>
> But GPOs don't have anything to do with security groups.
>
>>Desktop comes up with I assume, 'default user' from the client machine.
>>(Note: there is no desktop folder in the mandatory profile,
>>I want to use folder redirection so it has been deleted)
>>

>
> Presumably you are creating a profile, renaming it to .man and then
> using GPOs to make sure that everyone is using that profile?
>
>
>>I assume its something to do with restrictions on the local/client machine?
>>Its formatted in NTFS. As in it cant cache it locally (no rights) so it
>>aborts and uses the client one?

>
>
> Is your GPO being applied?
>
>
>>(I quickly tried adding 'everyone' full rights to the 'documents and
>>settings' folder on the client - then removing it from the subfolders where
>>its not needed) - still didnt work.
>>
>>2k server with 2k pro clients. I need maximum security (school situation) so
>>no admin rights local/server.
>>
>>Ideas?
>>
>>Also If I adjust the security so users cannot 'delete' the mandatory profile
>>I assume this wont affect it?? (as in read only)


I just did a quick AD training here in London and the guy reckoned you
are crazy to do anything with GPO's without using the "Group Policy
Management Console"

http://www.microsoft.com/windowsserv...c/default.mspx
http://www.microsoft.com/windowsserv...mc/gpmcwp.mspx

The tool is for 2k3 but the trick is, it can be run off a Win XP Pro
workstation hooking into Win 2k Server. It can let you simulate certain
scenarios, display effective permissions via HTML page etc etc

HTH

Matthew Strickland 12-17-2003 12:24 AM

Re: Mandatory Profile Question
 
"Enkidu" <enkidu@xyzcliffpxyz.com> wrote in message
news:17ettvc729eeek4rmg55a3biob6j56p2j6@4ax.com...

> Presumably you are creating a profile, renaming it to .man and then
> using GPOs to make sure that everyone is using that profile?


Yes profile created, renamed to .man, but ive used the 'profile' path in the
users account to set the profile. It seems to work (ie desktop appearance,
application data stuff is working) Its on a share on the server
\\server\profile

> Is your GPO being applied?


Other parts of the GPO are being applied (with the computer settings). Ill
run gpresult and see in more detail whats going on. I suspect it *is* being
applied but the mandatory profile is either happening after the GPO, or it
somehow over-rides the GPO settings. Its some conflict between mandatory
profile + folder redirection. "Exclude directorys in roaming profile didnt
work." - I only have this problem as soon as I remove Domain Admin group
from users.

> >Also If I adjust the security so users cannot 'delete' the mandatory

profile
> >I assume this wont affect it?? (as in read only)
> >

> It shouldn't.


I thought so :)

Matt




All times are GMT. The time now is 03:23 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.