windows 2003 group policy and login scripts

Here is my situation,

I have a client who wanted a domain-controller and file server in windows instead of Linux which is my preferred area.  I have installed windows server 2003 and set-up dhcp, dns, and AD.  I made one user in AD and succesfully logged a client computer on to the domain with that user.

My intention is to have a three group levels.  The first is Administrator, the second is managers, and the third is a normal user.  In addition, there is also going to be seperation in the managers and users groups into sales, service, etc.  The file server will have its root on a seperate partition and will then have subdirectories for each group (sales, service, etc) which will then have subdirectories for each user.

Here are my goals:


Program installation and removal (administrator level) on local computer when logged in
Access to all files on the local system and also on the server

no local system modification
Access to all the files in their group's directory including any user directories and the public directory.

no local system modification
Access to only their personal directory and one public directory in their group's directory

All users:
All personal information should map to the server and not the local computer.  When a user logs in to any computer on the network, I want them to have the same desktop information and mydocuments data.  I believe this is called a roaming profile, but I am not sure.
In addition to my documents, each user should have two drives mapped on login.  The public one for the whole company and their groups public drive.

The three  biggest things I need help setting up are going to be getting the correct active directory structure made, getting the local computer to have the right administrative permissions based on who is logged in, and then getting the drives to map correctly.  I believe once the AD groups are all made, I won't have a problem setting permissions on the file server side of things.

NOTICE:  The points for this question will go to the person who sticks with me and helps me out.  I don't mind some links to good helpful documents, but that in and of itself will not get you the points.  Following through with me and my future questions will get you the points.  This may take a little while to work through as I don't get to work on this every night.

I also have purchased windows 2003 unleashed to give me a better overall understanding of what I am doing.  I will read that when I get the time.  Right now I am concerned with getting this working correctly and I will worry about understanding it all later.  That means that long drawn out explinations are not especially necessary if I don't need it to make it work.  Save yourself some typing if you like :)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Justin CAWS Solutions ArchitectCommented:
This can be done without too much effort.  If you've already gotten AD working, the hard part is pretty much over.  So you don't have your OU structure set up yet?  Does the client's organizational structure lend itself well to an OU structure?  If so, you can mirror it and make an OU for each department(helps with assigning Group Policy objects to certain departments), or you can make positional OUs(Executives, Managers, Supervisors, Employees, etc).  

Is there only one DC in the forest and only one site?  If so, ADs stucture is fairly straightforward and simple.  As for security groups, you can begin with the 3 groups you mentioned, Admins, Managers, DepartmentEmployees(I don't want to use Users because it closely resembles a built-in group).  You could use the built-in Domain Users group, but then anytime you gave that group rights you'd be giving them to everyone, you wouldn't be able to differentiate between users in one department or another and everyone would have access to other department's data.  

You're right about Roaming Profiles, that's what you'll need to enable for the user's desktop and config data to follow them from machine to machine.  You specify this in their AD account's properties.  You can redirect My Documents to the user's home directory if you wish, this way they'll always have access to it without downloading and uploading all their data each time they log on and off.  

The desktops will need some configuration if you want to prevent user's from doing anything on them, but the AD structure should be in place first.  Permissions on the file server side, as you said, will be pretty straightforward.  Logon scripts can be assigned in Group Policy.  Let me know if you've got any questions so far or you want more info on something...

mrtwiceAuthor Commented:
OU structure?  Sorry, don't know what that means exactly.  I am guessing by your conotation that it is the structure that will define how authorization takes place ( or something similar ).

There is only one DC which is also the DHCP, DNS, and file server.

From your description, it sounds like the company fits an OU pretty well.  There is currently only two "departments" sales and service.  However, I would like positional OUs as well.  I am invisioning a situation where an employee would be a "department employee" and also a member of "sales".  A manager would be a "manager" and also a member of "sales".  I am not real sure how group policies work.  Will I need to make two group policies one called sales_managers and one service_managers?  Or can I add one user to a "managers" group policy and also a "sales" group policy, implying then that they would be a "sales manager" and have privileges accordingly?  I would like a seperate domain users group for the employee users, so DepartmentEmployees would be fine.

You have spoke about group plicies and security groups, but I have only heard the names and am not familiar with how they work or how to use them.  Would you have a link to a site somewhere that would give a good explination.  I will also be looking for one.

Great, I was right about roaming profiles.  However, once again I don't have a clue how to use or impliment them.   The desktops I would like stored on the server, but they can change them if they like.  I don't have a problem with changes, I just want them to have "their" desktop/start menu no matter where they log in.

Okay, it sounds to me like our next step is creating the OU structure in AD.  I am assuming this will just be some point and click manuevers, in the AD snap-in.  But where do I start?  Thanks.

Justin CAWS Solutions ArchitectCommented:
Sorry for the acryonms.  An Organizational Unit(OU) is an Active Directory(AD) container used to organize objects and to set security boundaries within a domain, you can apply Group Policy(GP) to a local system, Site, Domain, or OU(LSDOU for short).  You can create a couple different types of groups in Windows 2000.  There are Security and Distribution groups, each with a Domain Local, Global, or Universal scope.  Distribution groups are basically email distribution groups(not security enabled), Security groups can be assigned permissions and also be used as distribution groups.  For your purposes you'll want to make Security groups to assign your users permissions.  Here is an article with more info on Windows 2000 groups:

You can use the company's two department structure as a basis for your OUs, with nested OUs under those to define positions within each department if you wish.  That will give you a way to set policy for the entire department via the top level OU and fine tune the policy for each OU under it.  Keep in mind that you can set "Block Inheritance" on an OU to prevent Group Policy Objects(GPOs, an actual policy you have defined) from higher OUs from applying to the lower OU.  This way you can exempt some people(like the CEO) from being restricted by a GPO.  Another way to expempt a user or group is to remove the "Apply Police" right from the security tab of the GPO.  You can apply GPOs to the domain itself but only select the "Apply Policy" permission to members of a particular security group.  That allows you to apply a GPO who's scope encompasses the entire domain, but only apply it to certain people.

The user account objects and computer objects for each computer and user in the domain will be placed into the correct OU, but you can create security groups that contain users from anywhere in the domain.  This is where you'd create the "Admins", "Managers", and "Department_Employees" groups and place the appropriate users(adding groups instead of individual users is more managable) from both OUs in them.  You can now use these groups to assign permissions to all Admins, Managers and Employees at once.  To further break it down, you'd then create security groups for "Sales_Admins", "Sales_Managers", and "Sales_Employees", then "Service_Admins", Service_Managers", and "Service_Employees" like you mentioned.  You can break the groups down even further if you wish, or add more as needed.  

The roaming profiles can be specified in the Profile Path setting of the AD user account's properties.  Enter a valid share path, you can use the format "\\sharename\profiledir\%username%" to create the directory.  %username% will resolve to the user account's name and the appropriate security rights will be applied to the newly created directory.  You can specify the user's home directory path on the same page.  

To start creating OUs, open up Active Directory User and Computers, righ-click the domain name and select New->Organizational Unit.  It's that simple.  When you've got one created, check out the Group Policy tab of it's Properties page to get a feel for creating and assigning GPOs.  

So, does that help you see how the OU structure is set up?  It's a tree structure starting with the forest root/domain root and ending with an object of some type(user account, computer account, group, etc).

Here are some links that should give you a better understanding of this stuff:

Group Policy -

Active Directory -

Hope that answers more questions than it raises, but let me know.

Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

mrtwiceAuthor Commented:
That information is outstanding!  I guess I did want explanation after all :)

You have given me a lot of info to work through.  I am going to read it all and then try some implementation.  It may very well be a few days before I get back to you.  Thanks so much!
Justin CAWS Solutions ArchitectCommented:
Thanks.  I know you said you didn't want explanations, but I think it's much easier to understand how to set up AD if you know a bit about why you're doing what you're doing.  Good luck setting things up, post back and let me know how things go.  
mrtwiceAuthor Commented:

After reading your posts and reading the book I purchased, I decided to go with a singular OU structure for my users/groups (per the books recommendation) and then create my group policies at the domain level but only apply them to certain groups.  The book said this should avoid a complicated OU structure and OUs should only be used for delegating security.  I am sure there are a lot of different views on this, but this seemed to work for me.  

Okay, so here is my structure so far:

In my one OU called OUusers I have the following security groups:


I also have the following users:

I have also set up my file server root and subdirectories.  I created a directory called home:

for my user profiles.  So, for my test user, his profile is stored in:

I managed to get him a roaming profile by just putting the above path in the profile tab.  This worked OK, but I would like to know if there is a way for me to do this for an entire group instead of a user at a time.  It would make for easier managment.  

Also, how would I go about giving a domain user administrator privilages on a local computer?

Justin CAWS Solutions ArchitectCommented:
Sorry for taking so long to reply.  It sounds like you've got the AD and file server structure pretty well figured out, that's a good thing.  As for profiles, in my enterprise we created user accounts manually over a period of time when we migrated to Win2K, so I don't know how to change the profile path for multiple users at once.  Same with local admin rights, we use a standard Windows image that includes a domain group in the local administrators group, so the systems are configured from the start.  I'll do some looking around though and let you know what I can find on those two questions.  

Justin CAWS Solutions ArchitectCommented:
How's it coming?  

To grant domain users local admin access, use the Restricted Groups setting in GP to add a domain user or group to the Administrators group, then apply the GPO to the OU containing your computer accounts.  The setting is located in GP at "Computer Configuration\Windows Settings\Security Settings\Restriced Groups".

Haven't found anything about batch profile creating, it may take a 3rd party app to do what you're looking for.  
mrtwiceAuthor Commented:
Actually, it hasn't been coming along at all.  I haven't had a chance to work on it since the last time I replied.  That last post of yours confirmed what I had guessed would be the case, I just couldn't get the time to try it.  Thanks for providing the details.  I will be trying it this weekend hopefully.  

As for the batch processing, I am not going to worry about it.  I have to make the user anyway, it takes a whole five seconds to add the remote profile thing.

I let you know how things work out.  Thanks again!
mrtwiceAuthor Commented:
Boy, that shouldn't been as hard as it was, but I think I have everything with the group policies figured out and working now.

A question, when you make a group policy that only affects the computer managment, does that only take affect when you apply it to groups with computers in it?  I tried to apply the GPO for the restricted groups to a group with users in it, but it never seemed to work.  I then applied it to domain_computers group and it worked great.  Does that sound right?

Okay, I really only have one thing left to do.  I need to set up network drive mappings on login.  I am sure I need to do that with the login/logout scripts in a GPO.  What do I use to do the scripting with?  Is there a specific language or compiler I need to install.  What is the best way to do it?  Thanks.

Justin CAWS Solutions ArchitectCommented:
Yeah, the Computer Configuration settings only apply to computer accounts.  Those settings will have no affect on user accounts.  You can actually disable the User Configuration section of that GPO if you want, that's typically done to make GPO processing more efficient, but in a small environment it's not a big deal.  The way you've got it set up will work, just don't forget to add new computer accounts to the domain_computers group.  

Scripting is pretty straightforward, you can use a simple batch file with the "net use" command to map drives.  

NET USE X: \\servername\%username%

%username% will resolve the user's username, that would map drive X to the user's directory on the server.  Here's a link with a lot of info on logon scripts:

Hope that helps.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Justin CAWS Solutions ArchitectCommented:
Any luck?

mrtwiceAuthor Commented:
Yes, Actually I got everything working last night.  At least, I think I have.  I haven't had a lot of time to test everything thoroughly, but so far it looks good.  Thank you for all your help and sticking with it.  Take care.
Justin CAWS Solutions ArchitectCommented:
Glad it's working for you, post back if I can help with anything else.
I found difficulty in understanding about tabs in user property of active directory. Could you please help me where to get all detail information
Please help me about home directory information, can any body help me wether some one else can access it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.