bluntz48
asked on
Roaming Profiles
I'm creating roaming profiles for a client with one domain controller running Windows Server 2003. They wanted it setup so that nobody gets attached to their computer and every user, no matter which computer they use to logon, has a mapped drive to their own folder on the server. In addition they wanted obody to be able to do anything with their local C drive. What I did is create a shared Profiles folder with a sub-folder for each user. When they login, a logon script maps the drive to their personal folder. I also made it so that the local C drive is hidden from any user logging in to the domain. Now the client wants only the supervisors to be able to access their local C drive and have non-roaming profiles. The problem is that I did everything using Group policy for the domain and there's only one domain and one server. How can I create a group of users that aren't affected by the default domain group policy? Or is there a work-around which would allow me to have it set up the same way I do for the rest of the users? Thanks in advance
on the default domain policy deny the "read" and "apply group policy" rights for that user.
You can create more than one Group Policy. I never did like the Idea of using deny on the default domain policy. Reset the default domain policy back to the way it was. Also create a security group of all the individuals that get to see their C:\ drive so you just deny that group.
>>>Now the client wants only the supervisors to be able to access their local C drive and have non-roaming profiles. The problem is that I did everything using Group policy for the domain and there's only one domain and one server. How can I create a group of users that aren't affected by the default domain group policy? Or is there a work-around which would allow me to have it set up the same way I do for the rest of the users? Thanks in advance
First question...
Is C:\ drive System Drive ? I mean to say did they install Windows on this drive ? If it is a System Drive then ordinary users can't access or write anything on it except the member of listed groups.
Who are supervisors ?
Are they member of the following groups: -
Domain Admins
Enterprise Admins
Administrators Group.
Where you have speicifed settings to hide C:\ drive ? I mean to say Did you create a new group policy or you have configured settings in "Default Domain Policy" or "Domain Security Policy ?
If they are the member of these groups then they already have access to it. If they are not then you need to make them member of the above groups.
Let us know.
Thanks
SystmProg
First question...
Is C:\ drive System Drive ? I mean to say did they install Windows on this drive ? If it is a System Drive then ordinary users can't access or write anything on it except the member of listed groups.
Who are supervisors ?
Are they member of the following groups: -
Domain Admins
Enterprise Admins
Administrators Group.
Where you have speicifed settings to hide C:\ drive ? I mean to say Did you create a new group policy or you have configured settings in "Default Domain Policy" or "Domain Security Policy ?
If they are the member of these groups then they already have access to it. If they are not then you need to make them member of the above groups.
Let us know.
Thanks
SystmProg
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Another thing I forgot to mention, was roaming profiles are setup on the Profiles tab on the user's property sheet on their account in AD. Simply don't put a path in there for those admin users to prevent roaming profiles.
As far as the Group Policy issues, my last post is one way to correct this.
As far as the Group Policy issues, my last post is one way to correct this.
Hi!! For the answer to your question
" How can I create a group of users that aren't affected by the default domain group policy? ", i would suggest the following
(1) Create a Group called supervisors.
(2) All all the supervisors in that group.
(3) In the Default Domain Policy (in which u have all the settings defined) Deny access to this Supervisor group.
(4) Create a new policy( e.g. super policy) , the way you want it for Supervisors & apply it at the domain level itslef.
(5) In this newly created super policy remove the permission for Apply Group Policy for Domain Users & add the group supervisor (craeted in Step 1) with Read Group Policy & appply Group Policy rights.
Foe sucessful application of GPO , Read & Apply security settign of a GPO have to be enabled. If either of them is unchecked or deny GPO will not work. Also remember DENY takes precedence.
OR
(1) Create a OU (e.g. Super).
(2) Move all the Superviors here
(3) Create a seperate policy (Super Policy) of the settings required.
(4) Block Inhertiance of all Policies on this OU
(5) apply the Super Policy to this OU itslef.
It depends on the part of Group Policy settings (i.e. User Configuration or Computer Configuration ) have u configured. If the User COnfiguration part is configured then you can use either of the methods mentioned else if you have defined many settings in the Computer Configuration Part of the GPO it will be a hassel to add individual PC's to the security settings of the GPO & I would sugget usiing the method of craeting an OU & simply moving the supervisor & his PC there.
Pls let me knwo if this suggestion is of any help to you.
(5) Apply the
" How can I create a group of users that aren't affected by the default domain group policy? ", i would suggest the following
(1) Create a Group called supervisors.
(2) All all the supervisors in that group.
(3) In the Default Domain Policy (in which u have all the settings defined) Deny access to this Supervisor group.
(4) Create a new policy( e.g. super policy) , the way you want it for Supervisors & apply it at the domain level itslef.
(5) In this newly created super policy remove the permission for Apply Group Policy for Domain Users & add the group supervisor (craeted in Step 1) with Read Group Policy & appply Group Policy rights.
Foe sucessful application of GPO , Read & Apply security settign of a GPO have to be enabled. If either of them is unchecked or deny GPO will not work. Also remember DENY takes precedence.
OR
(1) Create a OU (e.g. Super).
(2) Move all the Superviors here
(3) Create a seperate policy (Super Policy) of the settings required.
(4) Block Inhertiance of all Policies on this OU
(5) apply the Super Policy to this OU itslef.
It depends on the part of Group Policy settings (i.e. User Configuration or Computer Configuration ) have u configured. If the User COnfiguration part is configured then you can use either of the methods mentioned else if you have defined many settings in the Computer Configuration Part of the GPO it will be a hassel to add individual PC's to the security settings of the GPO & I would sugget usiing the method of craeting an OU & simply moving the supervisor & his PC there.
Pls let me knwo if this suggestion is of any help to you.
(5) Apply the
my very simple solution will solve the question askers problem. If you deny the read/apply gpo rights to any user, the GPO will not be applied, which is what the question asker wanted. I feel i deserve some points for the correct answer that i gave.
In instances where there are multiple paths to achieve a solution, I will always recommend the best solution.
While your solution would have worked, I too also dont like applying deny rights on GPOs
Netman66's solution, in my opinion, was the best solution as it was a) workable, b) tidy and c) best practices
Feel free to comment if you agree or disagree and the moderator will take that into account when they close the question
Thanks
-red
EE Cleanup Volunteer
While your solution would have worked, I too also dont like applying deny rights on GPOs
Netman66's solution, in my opinion, was the best solution as it was a) workable, b) tidy and c) best practices
Feel free to comment if you agree or disagree and the moderator will take that into account when they close the question
Thanks
-red
EE Cleanup Volunteer
>> In instances where there are multiple paths to achieve a solution, I will always recommend the best solution.
Split also works in such cases and is an option here :)
Split also works in such cases and is an option here :)
Very true Venabili, I will use a split if there is no clear "Best" answer
Here, however, there was :)
-red
Here, however, there was :)
-red