Mandatory Profile Question

Discussion in 'NZ Computing' started by Matthew Strickland, Dec 16, 2003.

  1. Hi all,

    I think im turning into Woger.... help! Simple question, a simple answer I
    hope...

    Ive setup a single mandatory profile and set some users to point to it.
    Seems to work. Ive also setup folder redirection (Desktop) for a group of
    PC's (loopback processing enabled in an OU container of PC's) and thats ok.
    But when I remove the users from the 'Domain Admins' group, there is no
    're-direction'. Desktop comes up with I assume, 'default user' from the
    client machine. (Note: there is no desktop folder in the mandatory profile,
    I want to use folder redirection so it has been deleted)

    I assume its something to do with restrictions on the local/client machine?
    Its formatted in NTFS. As in it cant cache it locally (no rights) so it
    aborts and uses the client one?
    (I quickly tried adding 'everyone' full rights to the 'documents and
    settings' folder on the client - then removing it from the subfolders where
    its not needed) - still didnt work.

    2k server with 2k pro clients. I need maximum security (school situation) so
    no admin rights local/server.

    Ideas?

    Also If I adjust the security so users cannot 'delete' the mandatory profile
    I assume this wont affect it?? (as in read only)

    M
     
    Matthew Strickland, Dec 16, 2003
    #1
    1. Advertising

  2. Matthew Strickland

    AD. Guest

    On Tue, 16 Dec 2003 16:23:16 +1300, Matthew Strickland wrote:

    > Ive setup a single mandatory profile and set some users to point to it.
    > Seems to work. Ive also setup folder redirection (Desktop) for a group of
    > PC's (loopback processing enabled in an OU container of PC's) and thats
    > ok. But when I remove the users from the 'Domain Admins' group, there is
    > no 're-direction'. Desktop comes up with I assume, 'default user' from the
    > client machine. (Note: there is no desktop folder in the mandatory
    > profile, I want to use folder redirection so it has been deleted)
    >
    > I assume its something to do with restrictions on the local/client
    > machine? Its formatted in NTFS. As in it cant cache it locally (no rights)
    > so it aborts and uses the client one?
    > (I quickly tried adding 'everyone' full rights to the 'documents and
    > settings' folder on the client - then removing it from the subfolders
    > where its not needed) - still didnt work.


    What happens if you leave the Desktop folder in the profile but use
    redirection to 'override' it?

    If the redirection problem is permissions based (might not be), have you
    also checked th registry permissions. I only say that because the OU is
    a computer one, so the intended registry changes might be being applied to
    somewhere where they need some admin rights? Just guessing.

    What happens if you apply the redirection via a User OU? Do you still need
    admin rights then?

    Don't bite the Linux user, it's been I while since I have researched or
    done this stuff :)

    Cheers
    Anton
     
    AD., Dec 16, 2003
    #2
    1. Advertising

  3. Hi Anton,

    Not biting the Linux user :) Thanks for your input.... Ive got more info
    that might change things.

    It seems that the mandatory profile takes over from the re-direction. If I
    create a 'Desktop' folder in the mandatory profile, thats the one that is
    pushed to the client, instead of the redirected one. :(

    Ok I can handle this, so I did more research and discovered you can "Exclude
    directory in roaming profile" - WOW this is what I want... guns blazing, I
    excluded 'Desktop' and 'Start Menu' in the User OU. Logged into the
    client... nope, still the mandatory profile 'desktop'

    I then applied the exclude directory to the whole domain (the domain OU) to
    see if somehow it was being over-rided in the user OU, but no, same results
    again.

    Ill research a bit more about roaming profiles (mandatory ones) AND folder
    redirection when I get home.

    Matt
     
    Matthew Strickland, Dec 16, 2003
    #3
  4. Matthew Strickland

    Dumdedo Guest

    On Tue, 16 Dec 2003 16:23:16 +1300, "Matthew Strickland" <>
    wrote:

    >Hi all,
    >
    >I think im turning into Woger.... help! Simple question, a simple answer I
    >hope...




    No you need Brains to be a Woger..


    >Ive setup a single mandatory profile and set some users to point to it.
    >Seems to work. Ive also setup folder redirection (Desktop) for a group of
    >PC's (loopback processing enabled in an OU container of PC's) and thats ok.
    >But when I remove the users from the 'Domain Admins' group, there is no
    >'re-direction'. Desktop comes up with I assume, 'default user' from the
    >client machine. (Note: there is no desktop folder in the mandatory profile,
    >I want to use folder redirection so it has been deleted)
    >
    >I assume its something to do with restrictions on the local/client machine?
    >Its formatted in NTFS. As in it cant cache it locally (no rights) so it
    >aborts and uses the client one?
    >(I quickly tried adding 'everyone' full rights to the 'documents and
    >settings' folder on the client - then removing it from the subfolders where
    >its not needed) - still didnt work.
    >
    >2k server with 2k pro clients. I need maximum security (school situation) so
    >no admin rights local/server.
    >
    >Ideas?
    >
    >Also If I adjust the security so users cannot 'delete' the mandatory profile
    >I assume this wont affect it?? (as in read only)
    >
    >M
    >
     
    Dumdedo, Dec 16, 2003
    #4
  5. Matthew Strickland

    Enkidu Guest

    On Tue, 16 Dec 2003 16:23:16 +1300, "Matthew Strickland"
    <> wrote:
    >
    >Ive setup a single mandatory profile and set some users to point to it.
    >Seems to work. Ive also setup folder redirection (Desktop) for a group of
    >PC's (loopback processing enabled in an OU container of PC's) and thats ok.
    >

    I confused. If you are using folder redirection you must be using
    GPOs, right.
    >
    >But when I remove the users from the 'Domain Admins' group, there is no
    >'re-direction'.
    >

    But GPOs don't have anything to do with security groups.
    >
    >Desktop comes up with I assume, 'default user' from the client machine.
    >(Note: there is no desktop folder in the mandatory profile,
    >I want to use folder redirection so it has been deleted)
    >

    Presumably you are creating a profile, renaming it to .man and then
    using GPOs to make sure that everyone is using that profile?

    >I assume its something to do with restrictions on the local/client machine?
    >Its formatted in NTFS. As in it cant cache it locally (no rights) so it
    >aborts and uses the client one?


    Is your GPO being applied?

    >(I quickly tried adding 'everyone' full rights to the 'documents and
    >settings' folder on the client - then removing it from the subfolders where
    >its not needed) - still didnt work.
    >
    >2k server with 2k pro clients. I need maximum security (school situation) so
    >no admin rights local/server.
    >
    >Ideas?
    >
    >Also If I adjust the security so users cannot 'delete' the mandatory profile
    >I assume this wont affect it?? (as in read only)
    >

    It shouldn't.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Dec 16, 2003
    #5
  6. Matthew Strickland

    KS Guest

    > No you need Brains to be a Woger..

    Isn't it a bit early for April fools' day jokes ?
     
    KS, Dec 16, 2003
    #6
  7. Matthew Strickland

    Chris Guest

    "KS" <> wrote in
    news:brmk7e$38t$:

    >> No you need Brains to be a Woger..

    >
    > Isn't it a bit early for April fools' day jokes ?
    >
    >
    >


    No, he was late.....
     
    Chris, Dec 16, 2003
    #7
  8. On Tue, 16 Dec 2003 19:16:01 +1300, Dumdedo wrote:

    > No you need Brains to be a Woger..


    Need brains - "night of the living dead" style
     
    Uncle StoatWarbler, Dec 16, 2003
    #8
  9. Matthew Strickland

    Jax Guest

    >>Ive setup a single mandatory profile and set some users to point to it.
    >>Seems to work. Ive also setup folder redirection (Desktop) for a group of
    >>PC's (loopback processing enabled in an OU container of PC's) and thats ok.
    >>

    >
    > I confused. If you are using folder redirection you must be using
    > GPOs, right.
    >
    >>But when I remove the users from the 'Domain Admins' group, there is no
    >>'re-direction'.
    >>

    >
    > But GPOs don't have anything to do with security groups.
    >
    >>Desktop comes up with I assume, 'default user' from the client machine.
    >>(Note: there is no desktop folder in the mandatory profile,
    >>I want to use folder redirection so it has been deleted)
    >>

    >
    > Presumably you are creating a profile, renaming it to .man and then
    > using GPOs to make sure that everyone is using that profile?
    >
    >
    >>I assume its something to do with restrictions on the local/client machine?
    >>Its formatted in NTFS. As in it cant cache it locally (no rights) so it
    >>aborts and uses the client one?

    >
    >
    > Is your GPO being applied?
    >
    >
    >>(I quickly tried adding 'everyone' full rights to the 'documents and
    >>settings' folder on the client - then removing it from the subfolders where
    >>its not needed) - still didnt work.
    >>
    >>2k server with 2k pro clients. I need maximum security (school situation) so
    >>no admin rights local/server.
    >>
    >>Ideas?
    >>
    >>Also If I adjust the security so users cannot 'delete' the mandatory profile
    >>I assume this wont affect it?? (as in read only)


    I just did a quick AD training here in London and the guy reckoned you
    are crazy to do anything with GPO's without using the "Group Policy
    Management Console"

    http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
    http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

    The tool is for 2k3 but the trick is, it can be run off a Win XP Pro
    workstation hooking into Win 2k Server. It can let you simulate certain
    scenarios, display effective permissions via HTML page etc etc

    HTH
     
    Jax, Dec 16, 2003
    #9
  10. "Enkidu" <> wrote in message
    news:...

    > Presumably you are creating a profile, renaming it to .man and then
    > using GPOs to make sure that everyone is using that profile?


    Yes profile created, renamed to .man, but ive used the 'profile' path in the
    users account to set the profile. It seems to work (ie desktop appearance,
    application data stuff is working) Its on a share on the server
    \\server\profile

    > Is your GPO being applied?


    Other parts of the GPO are being applied (with the computer settings). Ill
    run gpresult and see in more detail whats going on. I suspect it *is* being
    applied but the mandatory profile is either happening after the GPO, or it
    somehow over-rides the GPO settings. Its some conflict between mandatory
    profile + folder redirection. "Exclude directorys in roaming profile didnt
    work." - I only have this problem as soon as I remove Domain Admin group
    from users.

    > >Also If I adjust the security so users cannot 'delete' the mandatory

    profile
    > >I assume this wont affect it?? (as in read only)
    > >

    > It shouldn't.


    I thought so :)

    Matt
     
    Matthew Strickland, Dec 17, 2003
    #10
  11. Matthew Strickland

    Enkidu Guest

    On Wed, 17 Dec 2003 13:24:29 +1300, "Matthew Strickland"
    <> wrote:

    >"Enkidu" <> wrote in message
    >news:...
    >
    >> Presumably you are creating a profile, renaming it to .man and then
    >> using GPOs to make sure that everyone is using that profile?

    >
    >Yes profile created, renamed to .man, but ive used the 'profile' path in the
    >users account to set the profile. It seems to work (ie desktop appearance,
    >application data stuff is working) Its on a share on the server
    >\\server\profile
    >
    >> Is your GPO being applied?

    >
    >Other parts of the GPO are being applied (with the computer settings). Ill
    >run gpresult and see in more detail whats going on. I suspect it *is* being
    >applied but the mandatory profile is either happening after the GPO, or it
    >somehow over-rides the GPO settings. Its some conflict between mandatory
    >profile + folder redirection. "Exclude directorys in roaming profile didnt
    >work." - I only have this problem as soon as I remove Domain Admin group
    >from users.
    >
    >> >Also If I adjust the security so users cannot 'delete' the mandatory

    >profile
    >> >I assume this wont affect it?? (as in read only)
    >> >

    >> It shouldn't.

    >
    >I thought so :)
    >
    >Matt
    >

    I'd be interested in the answer! Got no clues, sorry.

    Cheers,

    Cliff
    --

    The complete lack of evidence is the surest sign
    that the conspiracy is working.
     
    Enkidu, Dec 17, 2003
    #11
  12. Matthew Strickland

    M Guest

    Solved this one, it was because I was going back and adjusting the profile
    with my own logon that has different permissions, and different GPO's
    applied to it.

    The profile should only be modified by the user or users that are using
    it... (or rather, someone with similar permissions and GPO settings)

    Glad I finally sorted it.

    "Jax" <> wrote in message
    news:3fdf5784$0$13346$...
    > >>Ive setup a single mandatory profile and set some users to point to it.
    > >>Seems to work. Ive also setup folder redirection (Desktop) for a group

    of
    > >>PC's (loopback processing enabled in an OU container of PC's) and thats

    ok.
    > >>

    > >
    > > I confused. If you are using folder redirection you must be using
    > > GPOs, right.
    > >
    > >>But when I remove the users from the 'Domain Admins' group, there is no
    > >>'re-direction'.
    > >>

    > >
    > > But GPOs don't have anything to do with security groups.
    > >
    > >>Desktop comes up with I assume, 'default user' from the client machine.
    > >>(Note: there is no desktop folder in the mandatory profile,
    > >>I want to use folder redirection so it has been deleted)
    > >>

    > >
    > > Presumably you are creating a profile, renaming it to .man and then
    > > using GPOs to make sure that everyone is using that profile?
    > >
    > >
    > >>I assume its something to do with restrictions on the local/client

    machine?
    > >>Its formatted in NTFS. As in it cant cache it locally (no rights) so it
    > >>aborts and uses the client one?

    > >
    > >
    > > Is your GPO being applied?
    > >
    > >
    > >>(I quickly tried adding 'everyone' full rights to the 'documents and
    > >>settings' folder on the client - then removing it from the subfolders

    where
    > >>its not needed) - still didnt work.
    > >>
    > >>2k server with 2k pro clients. I need maximum security (school

    situation) so
    > >>no admin rights local/server.
    > >>
    > >>Ideas?
    > >>
    > >>Also If I adjust the security so users cannot 'delete' the mandatory

    profile
    > >>I assume this wont affect it?? (as in read only)

    >
    > I just did a quick AD training here in London and the guy reckoned you
    > are crazy to do anything with GPO's without using the "Group Policy
    > Management Console"
    >
    > http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
    > http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
    >
    > The tool is for 2k3 but the trick is, it can be run off a Win XP Pro
    > workstation hooking into Win 2k Server. It can let you simulate certain
    > scenarios, display effective permissions via HTML page etc etc
    >
    > HTH
     
    M, Dec 23, 2003
    #12
  13. Matthew Strickland

    Enkidu Guest

    Thanks for the report.

    Cheers,

    Cliff

    On Tue, 23 Dec 2003 19:44:31 +1300, "M"
    <> wrote:

    >Solved this one, it was because I was going back and adjusting the profile
    >with my own logon that has different permissions, and different GPO's
    >applied to it.
    >
    >The profile should only be modified by the user or users that are using
    >it... (or rather, someone with similar permissions and GPO settings)
    >
    >Glad I finally sorted it.
    >
    >"Jax" <> wrote in message
    >news:3fdf5784$0$13346$...
    >> >>Ive setup a single mandatory profile and set some users to point to it.
    >> >>Seems to work. Ive also setup folder redirection (Desktop) for a group

    >of
    >> >>PC's (loopback processing enabled in an OU container of PC's) and thats

    >ok.
    >> >>
    >> >
    >> > I confused. If you are using folder redirection you must be using
    >> > GPOs, right.
    >> >
    >> >>But when I remove the users from the 'Domain Admins' group, there is no
    >> >>'re-direction'.
    >> >>
    >> >
    >> > But GPOs don't have anything to do with security groups.
    >> >
    >> >>Desktop comes up with I assume, 'default user' from the client machine.
    >> >>(Note: there is no desktop folder in the mandatory profile,
    >> >>I want to use folder redirection so it has been deleted)
    >> >>
    >> >
    >> > Presumably you are creating a profile, renaming it to .man and then
    >> > using GPOs to make sure that everyone is using that profile?
    >> >
    >> >
    >> >>I assume its something to do with restrictions on the local/client

    >machine?
    >> >>Its formatted in NTFS. As in it cant cache it locally (no rights) so it
    >> >>aborts and uses the client one?
    >> >
    >> >
    >> > Is your GPO being applied?
    >> >
    >> >
    >> >>(I quickly tried adding 'everyone' full rights to the 'documents and
    >> >>settings' folder on the client - then removing it from the subfolders

    >where
    >> >>its not needed) - still didnt work.
    >> >>
    >> >>2k server with 2k pro clients. I need maximum security (school

    >situation) so
    >> >>no admin rights local/server.
    >> >>
    >> >>Ideas?
    >> >>
    >> >>Also If I adjust the security so users cannot 'delete' the mandatory

    >profile
    >> >>I assume this wont affect it?? (as in read only)

    >>
    >> I just did a quick AD training here in London and the guy reckoned you
    >> are crazy to do anything with GPO's without using the "Group Policy
    >> Management Console"
    >>
    >> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
    >> http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx
    >>
    >> The tool is for 2k3 but the trick is, it can be run off a Win XP Pro
    >> workstation hooking into Win 2k Server. It can let you simulate certain
    >> scenarios, display effective permissions via HTML page etc etc
    >>
    >> HTH

    >


    --

    Christmas comes but once a year, thank the gods. I don't think
    that I could cope with twice.
     
    Enkidu, Dec 23, 2003
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. JH
    Replies:
    4
    Views:
    5,897
    Dean C
    Aug 16, 2004
  2. Test
    Replies:
    4
    Views:
    677
    T. Sean Weintz
    Feb 24, 2005
  3. Allan
    Replies:
    0
    Views:
    566
    Allan
    Apr 10, 2006
  4. Imhotep
    Replies:
    0
    Views:
    446
    Imhotep
    Oct 21, 2005
  5. Bill Havens

    Mandatory Profiles

    Bill Havens, Sep 15, 2006, in forum: MCSE
    Replies:
    0
    Views:
    587
    Bill Havens
    Sep 15, 2006
Loading...

Share This Page