Advice on what to do now that Active Directory is installed // Active Directory Strategy

Thanks Chris

I have created folders on the server's harddrive in the structure you recommended. However I'm not sure how to make it so that the home folder for each user is automatically generated to the Users folder. The document you provided only provides *recommendations* on how to set it up, but doesn't provide instructions on how to do it.

Same goes for offline files, don't know how to configure it. Some steps would be appreciated.

Also I've googled for some Active Directory resources and didn't really find anything great - I found a lot of technical mumbo jumbo that has nothing to do with practically setting up users and their shares etc. So if you know of any good resources, please share :p

..so for example, the Users folder is located on E: on the server. Do I say E:\Users\%username% or do I say \\Server\E:\%username%? or what ?

Another question. In the help files it says:
" In User logon name, type the user logon name, click the user principal name (UPN) suffix in the drop-down list, and then click Next.
If the user will use a different name to log on to computers running Microsoft® Windows® 95, Windows 98, or Windows NT® operating systems, you can change the user logon name as it appears in User logon name (pre-Windows 2000) to the different name"

Okay everyone is running XP or later, but doe this mean that when I create users for everyone, I should ask them what their log-in username is for their laptops/notebooks and use that as their login name for their AD users???

"When assigning permissions try to avoid assigning permissions to user accounts at all costs. It can become very difficult to manage permissions when assigned like that. Instead, permissions should be assigned to groups, users should be placed into appropriate groups."

Do you mean Groups or Organizational Units (OUs)?
Can you give me an example? Let's say in Miama office we have 11 users.
2 are from accounts, 2 are management, 2 are from human resources, 2 are from IT, 1 is receptionist, 1 is inventory management.
Shall we put them all in one Organizational Unit,
but then create groups in that OU such as "Accounting" "HR" "IT" etc and then make the users "Members of" those Groups?

Thanks Chris

Yaknow, I'm a Microsoft Certified Professional, I did the one module about Installing and Maintaining a Windows Server 2003 Environment, but I have forgotten 95% of it and I didn't really understand what I was learning when I was learning it - unless you have some practical experience in applying the knowledge then the knowledge just fades away.

I kinda understand the difference between Share permissions and NTFS permissions and I understand that windows will use the most restrictive security, so e.g. if you don't give share permissions but you do give NTFS permissions, then there's no access. So we'll give full share, and apply NTFS permissions based upon each user's role or group.
For example our accounts ladies can see financial data.

I'm curious about your Computer Naming Convention - I see an implementation problem. I have to phone up everybody and say "Listen, can we just, yaknow, rename your computers because we have a new naming scheme". Can't we just leave everyone's computer names what they already are?

And the same goes with joining the laptops on our network to the domain. Can't we just do this:
1) Tell them to log off their user
2) Press Ctrl + Alt + Delete
3) Enter their provided username @mydomain.com and password
and viola! now they have a) joined their computer, and b) created their user
...or is there something I'm missing here?


Now that I have a Users share, didn't you recommend I store all their profiles here and maybe make it available offline? How can I do this? And can you provide a path example for me, e.g. \\Server\Users\%username% etc

Thanks for all the help.

Re:

- By default, the newly created user account will only have user rights on the laptop / PC (by virtue of membership of Domain Users). This may be a problem.
- Once they log on they will get a brand new user profile (regardless of any similarity in user names). That means new My Documents, new settings, new everything.

Yeah, I'm not sure of the alternatives here. I don't mind doing 'the normal way' but I'm not sure what that is. So for example, we want them to have user rights beyond the laptop, right? We want them to be able to access network resources, hence the reason we got Active Directory. So that's important. Also you're saying they get a new My Documents and everything, I say that's unideal, what do you think? Rather let them keep their files like they're used to, and if I want to mess up their profiles I can. But it would help if you could guide me as to what you recommend, and how ;)

Thanks Chris.

Yes I have my own laptop plugged into the network switch. I've created a user for myself in AD and I was able to log in and authenticate on my laptop, which then generated a new user profile for me, which, I didn't really appreciate but it seems this is the way it gets done, right? So I get a new desktop wallpaper, my desktop consists of only shortcuts (no files etc -- cos these are stored in the other user) and that's that.

So, what can I do from here? You say I should transport my old user data to the new one?
I guess I know where the My Documents files and folders are from the old user, along with the old desktop files and folders are from the old user. Anything else that should be ported?

By the way, I'm a software engineer, so I could always just right some program that would help with this, but, it would still surprise me that no such (free) tools exist?
Surely I'm not the first administrator that's wanted to port an old user profile's data to the new user's profile?

Let me know what I can do next :p

Hmm... I remember learning something about NTUSER.DAT but all is forgotten now. It seems to me that I could load a NTUSER.DAT file into my NETLOGON share which I am guessing would create like a 'default' profile for new users that join the domain. I'm guessing this is useful to set crap like wallpapers but not much else. I think you were saying by copying NTUSER.DAT we can transport general profile settings, but not the actual data like files and My Documents. Am I understanding this correctly?

Now, about porting settings using that link you gave me.
On my laptop running XP Professional, I had created my new user profile 2 days ago already and rebooted several times, okay?
Now I log on to that user, get authenticated etc, and when I follow the instructions in that link you give me:
Right-Click My Computer ->
Properties ->
Advanced ->
User Profiles
..only my new user profile comes up. Not my old one.

So now I'm confused.

NTUser.dat is the registry file, it holds all the settings, wallpaper and all. But it's only settings, so copying that wouldn't give you My Documents or any of the other file data. So yes, your understanding of it is perfect.

Hmm does it lists two separate profiles under "Documents and Settings" though? I haven't used that to copy a profile in a good number of years, it should show everything... I couldn't say why it's not.

Chris

Yes under Documents and Settings it lists both my original User and my new Active Directory User. The interesting thing is that if I log onto my original user, and go to Control Panel -> Users, it brings up a list of users including my original user, but with the domain being ONE (which was my computer name and probably my old domain).

But the new Active Directory User is from the domain called HQ.

But in any case, this "copying" of profiles bussiness, like you say it won't copy over files, just profile settings. So what's the best way to port old documents from an old user to the new user?

Are you a local admin on that PC?

If you use the GUI, it will copy files, settings, everything. Only doing the copy manually allows us to be selective.

Chris

Oh Okay I think I see the problem now. You can't copy from the user you're logged in as (that wasn't the problem, but...) and you shouldn't be logged in to the user you're about to copy too either. So when I logged into a THIRD account I was able to see both the OLD and NEW profiles and it was possible to copy. Great.

So what's the next step then? We should copy their old profile to a network share? Then in Active Directory set their profile to that network share location? Then set folder redirection or offline files or what? I'm busy reading up on folder redirection but I'm not sure if that's what I need in this case.

> We should copy their old profile to a network share?

No, keep it local for now.

I'd avoid Roaming Profiles if I were you. Offline Files and folder redirection are great, but roaming profiles tend to be more bother then they're worth unless people are constantly switching computers.

Do we have shares on the server now?

Chris

We do indeed have shares now.

Fantastic :)

Head to the server and see if you have "Group Policy Management Console" under "Administrative Tools".

If you don't, download it here:

http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

Get that installed and we can have a look at folder redirection which should hopefully get everyone away from the reliance on the desktop without anyone actually noticing.

Chris

PS: You don't have to install that on the server, if you have a system you manage everything from feel free to install it there instead / as well.

Chris

Yes I do have that installed.

Great, pop it open.

You'll find a few policies present by default (Default Domain Policy, Default Domain Controllers Policy). I advise you leave those alone, if you need a policy, make a new one.

So, right click on the domain name and make a new policy (create and link). Then right click on the policy and edit it.

Then this article has some pretty pictures for what we're aiming to do:

http://www.msterminalservices.org/articles/Configure-Folder-Redirection.html

The Root Path will be the share we created for Users on the server.

Going to grab some lunch, will be back shortly :)

Chris

Umm that article keeps on talking about Terminal Services, creating a Terminal Services group etc but this is separate from Terminal Services right?

For example I encounter this problem:
"Edit the Security of the Policy so Apply Policy is set for Authenticated Users and the Security Group containing the Terminal Servers "
When I try to add the OU containing my users it says the object cannot be found.

And are you sure I must have User Configuration Settings Disabled on this GPO?

This is some confusing stuff. Talk about making user-un-intuitive software ;)

Dang. Those instructions in that link "Enabling the administrator to have access to redirected folders" are for windows 2003. It says:

Click the Security tab.
Click Advanced.
Click to clear the Allow inheritable permissions from the parent to propagate to this object and all child objects check box. Include these with entries explicitly defined here. check box.

Unfortunately mine says no such thing. I'll try google it further.

i think I figured that problem out myself... will let you know how I go...

Sorry, my fault, for some reason I was thinking you're on 2003. Yell if you need modified instructions for 2008.

Chris

Okay about to go and test, just want to confirm, the Terminal Services instructions said that I must have User Configuration Settings Disabled on this GPO. I don't need to do that in this case, right?

hey, is there an easy way to detect if a user is logged on to the server i.e. they have authenticated? It's no big deal but it would be nice to say "oh today 7 users authenticated and haven't logged out yet"

Sorry... what is supposed to link the GPO to the users or OU?  In Group Policy Management, I click on the GPO and under Links it has my domain controller and under Security Filtering all it has is Authenticated Users. Is this enough?

Yep. If you followed my instructions the GP is linked to the base of your domain, it will apply to everyone in your domain (everyone beneath the policy in the hierarchy).

It should look something like the picture below.

Chris

Hmm. .she's not working.

1) Under 'Links' in the GPO, should I set Enforced to Yes?

2) In AD Users and Computer, my profile path is \\HQ\Users\[myName]. Is this correct? (In any case no data has come through to HQ\Users.

I will create the GPO from scratch and see if how I go

Umm... according to my share the network path is \\DC1\Users and not \\HQ\Users. That's odd, my domain is hq.[companyname].com. Anyways, now I can try again :P

That's fine, share paths are:

\\ServerName\Share

Rather than:

\\DomainName\Share

However....

If the Server is your DC it will work using \\DomainName as well. Run "NsLookup DomainName" and you'll get the IP addresses of your Domain Controller(s) back.

Chris

Very strange... I decided to create a new Active Directory User for testing,

in its properties I set profile path to \\HQ\Users\Maria.Mogano

then I go to my laptop and I log in as her.

It then tells me that the Roaming Profile could not be located and that it will provide me with a temporary profile, and that any changes made to my profile will be lost after I log out.

Fascinating.

But it's not working.

Don't set a profile path at all. Just leave that blank.

What we want to happen is for them to log on with a local profile, but for it to pick up My Documents and hold it on the server.

Chris

Auurgh.. No joy.
I did notice however that no my Server it is saving the Administrator's My Documents to the Users share. But on my laptop I've tried about 4 times now with 4 different users. :(

Hmmm... when i run gpresult on the server by saying
gpresult /user Administrator /v
it gives me all the GPO's being applied

But when I do it on any of my test users (while still on the server), I get
INFO: The user "John.Smith" does not have RSOP data

My guess is that GPO policies aren't being applied on my Laptop.

So far in my googling I saw a comment of some guy that re-installed Windows Server and that fixed the problem, another anecdote said they had bad DNS settings.
I don't really feel like re-installing and then downloading all these updates all over again :(

Here's the result of gpresult when run from the client PC with the user John.Smith logged in: <attached below

note that Local Group Policy and Default Domain Policy are applied to the COMPUTER SETTINGS and User Folder Redirection v2 is applied to the USER SETTINGS

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:\Documents and Settings\John.Smith>gpresult
 
Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
 
Created On 5/06/2009 at 10:31:09 AM
 
 
RSOP results for HQ\John.Smith on ONE : Logging Mode
-----------------------------------------------------
 
OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 HQ
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\John.Smith
Connected over a slow link?: No
 
 
COMPUTER SETTINGS
------------------
    CN=ONE,CN=Computers,DC=hq,DC=companyname,DC=com
    Last time Group Policy was applied: 5/06/2009 at 10:01:41 AM
    Group Policy was applied from:      DC1.hq.companyname.com
    Group Policy slow link threshold:   500 kbps
 
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Local Group Policy
 
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        User Folder Redirection v2
            Filtering:  Not Applied (Empty)
 
    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        SQLServerMSSQLServerADHelperUser$ONE
        SQLServerMSSQLUser$ONE$FUCKSQL
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        ONE$
        Domain Computers
 
 
USER SETTINGS
--------------
    CN=John Smith,CN=Users,DC=hq,DC=companyname,DC=com
    Last time Group Policy was applied: 5/06/2009 at 10:28:46 AM
    Group Policy was applied from:      DC1.hq.companyname.com
    Group Policy slow link threshold:   500 kbps
 
    Applied Group Policy Objects
    -----------------------------
        User Folder Redirection v2
 
    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
 
        Default Domain Policy
            Filtering:  Not Applied (Empty)
 
    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL

                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:

Cool, at least he's getting the policy.

Ignore people that say reinstall without very good cause ;)

Can we have a look in the Event Logs on the laptop? See if any errors are being logged about profile creation?

Chris

Good call. There have been the same errors with all of my test accounts on this laptop. They are all error Event ID 10016
(Note: I have sent our driver to go pick up another laptop so I can do testing on that one)

Here are the error logs IN CHRONOLOGICAL ORDER for user John.Smith
Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10016
Date:            5/06/2009
Time:            10:04:15 AM
User:            HQ\John.Smith
Computer:      ONE
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
 to the user HQ\John.Smith SID (S-1-5-21-2534760304-592965174-2836117804-1117).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

===

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10016
Date:            5/06/2009
Time:            10:04:18 AM
User:            HQ\John.Smith
Computer:      ONE
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
 to the user HQ\John.Smith SID (S-1-5-21-2534760304-592965174-2836117804-1117).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

===

Event Type:      Error
Event Source:      DCOM
Event Category:      None
Event ID:      10016
Date:            5/06/2009
Time:            10:28:56 AM
User:            HQ\John.Smith
Computer:      ONE
Description:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID
{0C0A3666-30C9-11D0-8F20-00805F2CD064}
 to the user HQ\John.Smith SID (S-1-5-21-2534760304-592965174-2836117804-1117).  This security permission can be modified using the Component Services administrative tool.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hmm I'd be surprised if that was it, but we can still take a look.

Open up RegEdit then use the Find option to look for this value:

0C0A3666-30C9-11D0-8F20-00805F2CD064

It should tell you the executable associated with the key, allowing us to see exactly what it's trying to launch.

Chris

Hmmm some more errors under Application event viewer but aren't user specific.
The previous ones were under System event viewer.

Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date:		5/06/2009
Time:		10:43:58 AM
User:		NT AUTHORITY\SYSTEM
Computer:	ONE
Description:
Windows cannot query DllName registry entry for {CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D} and it will not be loaded. This is most likely caused by a faulty registration.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
===
 
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1041
Date:		5/06/2009
Time:		10:28:46 AM
User:		NT AUTHORITY\SYSTEM
Computer:	ONE
Description:
Windows cannot query DllName registry entry for {7B849a69-220F-451E-B3FE-2CB811AF94AE} and it will not be loaded. This is most likely caused by a faulty registration.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                                              

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:

0C0A3666-30C9-11D0-8F20-00805F2CD064 = Machine Debug Manager

A registry search for CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D yields a key under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\Currentversion\Winlogon\GPExtentions

You didn't have IE 8 beta on there did you?

Chris

I did a while back. It messed my programming up so I uninstalled it. But very interesting question...

Here's a microsoft article talking about that error:
http://msdn.microsoft.com/en-us/ie/dd441788.aspx
I have done as it asks and deleted two registry keys.
I wonder if this has anything to do with the GPO problem though

Brought in our other laptop running Windows XP Professional, created a fresh user in AD, joined the domain on the laptop, rebooted, logged in as the new user, and files are still not being saved on the Server share.
:(
I will check logs again

Another interesting problem...
After I had joined the domain on the laptop, rebooted and was trying to log in for the first time,
it brought up message "Please wait while domain list is created"

Some googling says :
1. Check the DC DNS settings. Make sure it points to an internal DNS.

2. Make sure the computer DNS points to the same DNS instead of ISP DNS.

3. Make sure the computer register A record in the DNS.

4. Make sure you can ping the DC by FQDN.

5. If the computer's hostname is set to something invalid, you may want to rename it.

> it brought up message "Please wait while domain list is created"

It's relatively unusual for it to stay up for more than a second or two but not entirely unheard of. As long as it does successfully build the list in the end.

Can you make sure the clients can open up the share?

\\server\users

Just to make sure they can get there. Make a test directory in there with a client as well, again just to make sure.

Chris

That's odd. On this PC I can't access it. I get the error below. In fact it won't let me access any of the shares, but im pretty sure on my other laptop it did. this is an authenticated user, Joe.Schmoe. Very strange

 
 \\Hq\Users is not accessible. You might not have the permission to use this network resource. Contact the administrator of this server to find out if you have access permissions.
 
Configuration information could not be read from the domain controller, either because the machine is unavaiable, or access has been denied.

                                              

1:
2:
3:
4:
5:

can't believe this... If I go to \\DC1\Users it allows me access and I can create a folder!

Okay sorry for the stupidity...
My GPO redirected folders point to \\DC1\Users
My E:\Data\Users is shared as \\DC1\Users
So yes, on the client PC, logged in as Joe.Schmoe, I can access \\DC1\Users and create a folder.

Not very helpful of it. Does it allow you to create stuff in My Documents?

Chris

hang on a tick. gonna reboot everything

hehe the how to fix Windows response :)

We might move away from that policy for a moment and test a few more, to make sure policy application in general works.

Chris

Revolution! It worked on my 2nd laptop after I created a fresh user in AD.
There's a setting in the Folder Redirection policy that says "Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems"
It was not checked, but I swear yesterday I tried it with checked and unchecked.
So I checked it now, did a gpupdate, rebooted the server, added a new user, and viola!

What a mission... Thanks so much, I couldn't have done it without you

Okay so how would I make it so that my Administrator account doesn't have a roaming profile?

Ahhh... You see, I'm learning ;)
By the by, I'm on the laptop, logged in as the Server's Administrator, busy trying to port the new user's Old Profile through to her new one. The profile-copying GUI technique gave me issues about security and so on, it seems the workaround is to take ownership of the OLD and NEW profile, and copy things across manually, but with so many temporary internet files, it's taking a long time.

Tell me, let's say we have a sister site with 5 users that's 100 miles away, and they don't have an IT person there.
Let's say we want to join them to the domain and also port over their old profiles.
My director thinks I should go on a road trip to do this (which I'd love to do). But is it justified? Or are their tools and easier ways of doing this? Or should we just outsource it?

I think there's justification for it.

While it's quite a simple process the profile tends to have such importance that mistakes can be costly (in a business sense). You could script the entire thing if you were willing, it only needs a few xcopy commands and a bit of permission changing.

Hiring someone in to do it is fine if your documentation for what they need to do is up to scratch, otherwise I think you'd pay over the odds for someone that would be able to figure it out. Personal opinion, of course, and depends on quite a lot of stuff (mainly cost).

Anyway, the guy that looks after desktop support for me here will be going off to do much the same thing in the not too distant future. I much prefer having someone I know will do it right keeping people happy :)

Chris

Okay one problem I have now is that with her OLD profile on the laptop she was an administrator, now on her NEW profile it tells her stuff like "Windows XP Firewall has blocked [Skype]. Your system administrator can unblock this for you". In other words she is no longer an administrator on her own computer :(
So when I log in as her local Administrator, and I go to Users in the Control Panel, her NEW User account does not come up.

Well every laptop comes with all sorts of crap on it. My dell laptop every time I add a new user I've got to accept a license agreement for dell support. On her laptop her accounting software tries to connect to her PC server but gets blocked by the Windows firewall. For certain users they need to be administrators or at least have control over things like that.

Yeah, fair enough, it's quite a lot of work getting all those things to run without admin rights. If you were a bigger company I'd be much more inclined to push for no local admin rights, people only break things :)

Chris

okay Chris, lovely, I now have shares enabled, folder redirection in place, I've learnt how to port profiles across from one user to another, and I guess I could now 'roll out'.

But before I do, what else needs to be done?

1) I'm thinking mapped network drives, done through scripts?

2) What else? Isn't there a nice way to give them messages whenever they log in, I guess by setting up their wallpaper as webpage, or their default homepage, or something? I'd like to say something like :
"Welcome, your profile on this computer has been ported to this new user, and you now have access to several network resources on our new Server. You can access the File Server through Y: in My Computer. Please note the folder 'Projects', 'Shared', 'Departments', 'Users', 'Scans', etc. For any help email helpdesk@mycompany.com"

3) Maybe I can set up a company wiki.

4) oh and another thing I can think of is enabling "remote assistance" on everyone's PC that I convert. In this way I can assist users remotely if necessary.

What do you think and what else can you think of?

Excellent stuff

I agree changing wallpapers is a bad idea, so I have found a way to give messages using VBS scripts.
Busy working on the logon script, if I want to use VBS script files, can I use your path:  %SystemRoot%\SysVol\Domain\Scripts ?

Other than this remaining question, I think you've given me an excellent overview of AD things to get me started. Hopefully I can roll-out to this office branch today!

Hmmm I'm reading an article that says if all your client PCs are running Windows 2000 or later, then you don't really need to use the profile tab, you can just use group policy and it shows me how:
http://www.windowsnetworking.com/articles_tutorials/Logon-Scripts-Pure-Mixed-Active-Directory-Environments.html

Thanks so much for your help!

> if I want to use VBS script files, can I use your path

Yep, you can :)

> you can just use group policy and it shows me how

Yeah, you can, but  the script is less accessible if you need to tell someone how to get to it.

For example, the path to it will look like this:

\\yourdomain.com\SysVol\yourdomain.com\Policies\{2387240B-7940-4DB4-BB40-878FCAB12784}\User\Scripts\Logon

Kind of hard to explain to someone :)

If that's not a bother then...

a. Open Group Policy Management Console (again)
b. Select the Domain Users container we made before
c. Right click and select Create and Link a Policy
d. Call it logon script (or something)
e. Expand User Configuration \ Windows Settings and select Script (Logon\Logoff)
f. Open up Logon
g. Click Add and enter the script name (name only again), e.g. login.vbs (leave parameters blank) then OK
h. Click Show Files, that will open a folder with something like the path above. Put your script file here.

Chris

Forgot the link for ADMT:

http://www.microsoft.com/Downloads/details.aspx?familyid=AE279D01-7DCA-413C-A9D2-B42DFB746059&displaylang=en

With the guide here:

http://www.microsoft.com/Downloads/details.aspx?familyid=6D710919-1BA5-41CA-B2F3-C11BCB4857AF&displaylang=en

Whether you'll need much / any scripting or not does depend on your intentions. If you have a test domain I highly recommend having a bit of a play, even if your test domain runs as virtual servers on a laptop ;)

Chris