>-----Original Message-----
>Thanks for your very helpful reply Marko.
>
>Ive just taken over this network of 50 users, previously
looked after by a
>complete moron. Every user (including temps "were" domain
admins!!) . I
>guess the last guy didnt want to be bothered by users,
and let them all do
>anything they wanted. The default domain GPO had never
been touched.
>
>Im cleaning up a fair bit to say the least.
>
>I am planning to use group policy and folder redirection
eventially, but
>need to research how folder redirection will affect the
excisting data in
>everyones "My Documents", and especially laptop users
(and offline files).
>
>Cheers again
>Testy
>
>
Boy, you have a lot to do and a short time to learn it all
in. Welcome to Windows networks 101 where you may learn
some of the basics:
OK - First things first:
Make sure you have a backup with the System State and that
you know how to restore if you have too (Learn the F8
during startup, noting how to boot to Restore Active
Directories).
Make notes so you can undo anything that may have
undesirable effects.
Look at the Administrators and Domain Admin groups.
Remove every account not used ONLY for server /
workstation administration. Likely Administrator, Netshow
and Exchange Admin type accounts will be the only ones
left. Make sure guest is disabled.
Go download the Microsoft Baseline Security Analyzer. You
can pretty much do everything it recommends at this stage
since it is likely to be better than the state of play at
the moment.
Determine how you could put every person into different
groups that would correspond to the different network
folders or shares being used.
Work on making your network shares accessable by security
groups and put users in those groups, as appropriate.
Common rookie error is putting users in the security
permissions when users belong to groups and groups control
file / folder security. Much easier to manage when users
leave the organisation or new users come in.
For EXAMPLE, a folder called executive may have
Administrators and System as Full Control, with security
group Executive having Modify permissions. You may then
add AdminStaff with Read access, if this is appropriate.
Don't add Everyone permissions for anything - it isn't
necessary and it is a little too relaxed. You can nearly
always provide everyone on youe network the right File and
Folder access by specifying the Domain Users group. If
you were creating a network share for these files and
folders, you would use either Executive with Full Control
permissions on the share, or Domain Users with Full
Control. Keep in mind, the file and folder security
attributes will negate any extra permissions gained
through the network share.
Go to the Profile of a user account. Users normally have
network drive, say U:, that would be mapped in each
profile as \\servername\users$\%username% where servername
is - you guest it! - the server netbios name, users$ is
the share assigned to the users folder on the server, the
$ makes it invisible when searching for shares on the
server, and %username% will prompt the computer to replace
this with the logon name of the user when creating a
folder to use as U:. Try it; from the profile tab,
Connect U: to \\servername\users$\%username%. If you have
created a folder for users that is shared as users$ with
permissions of full control for Domain Users, then a
folder should be created for username and the permissions
will include full control for username. Easy, eh?
After you have sorted that mess out, open Active Directory
Users and Computers. Choose the properties of the
domain. Select the Group Policy tab at the top. With any
luck, you only have a Default Domain policy. Now, User
configuration, Windows Settings, Folder redirection. (I
am doing this from memory, so it may not be 100% but you
will get the idea). Choose the Properties of say Desktop,
and choose to redirect this folder for everyone to
\\servername\users$\%username%\system\desktop Everybodies
desktop will be copied to their U:, in a folder called
system\desktop that will be created when they logon.
Their desktop profile from the machine they log into will
be copied.
You can do similar for the other folders when you are
comfortable that you can recover profiles from
workstations and copy them directly into these folders, if
you have to.
That's all for now. Kept me busy for 20 minutes; it will
keep you busy all for most of next week I would think.
Good luck.
|
Similar Threads
