Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 418
  • Last Modified:

Roaming Profiles

I'm creating roaming profiles for a client with one domain controller running Windows Server 2003. They wanted it setup so that nobody gets attached to their computer and every user, no matter which computer they use to logon, has a mapped drive to their own folder on the server. In addition they wanted obody to be able to do anything with their local C drive. What I did is create a shared Profiles folder with a sub-folder for each user. When they login, a logon script maps the drive to their personal folder. I also made it so that the local C drive is hidden from any user logging in to the domain. Now the client wants only the supervisors to be able to access their local C drive and have non-roaming profiles. The problem is that I did everything using Group policy for the domain and there's only one domain and one server. How can I create a group of users that aren't affected by the default domain group policy? Or is there a work-around which would allow me to have it set up the same way I do for the rest of the users? Thanks in advance
0
bluntz48
Asked:
bluntz48
  • 2
  • 2
  • 2
  • +4
1 Solution
 
mikeleebrlaCommented:
on the default domain policy deny the "read" and "apply group policy" rights for that user.
0
 
sr75Commented:
You can create more than one Group Policy.  I never did like the Idea of using deny on the default domain policy.  Reset the default domain policy back to the way it was.  Also create a security group of all the individuals that get to see their C:\ drive so you just deny that group.
0
 
Nirmal SharmaSolution ArchitectCommented:
>>>Now the client wants only the supervisors to be able to access their local C drive and have non-roaming profiles. The problem is that I did everything using Group policy for the domain and there's only one domain and one server. How can I create a group of users that aren't affected by the default domain group policy? Or is there a work-around which would allow me to have it set up the same way I do for the rest of the users? Thanks in advance

First question...

Is C:\ drive System Drive ? I mean to say did they install Windows on this drive ? If it is a System Drive then ordinary users can't access or write anything on it except the member of listed groups.

Who are supervisors ?
Are they member of the following groups: -
      Domain Admins
      Enterprise Admins
      Administrators Group.

Where you have speicifed settings to hide C:\ drive ? I mean to say Did you create a new group policy or you have configured settings in "Default Domain Policy" or "Domain Security Policy ?

If they are the member of these groups then they already have access to it. If they are not then you need to make them member of the above groups.

Let us know.

Thanks
SystmProg
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Netman66Commented:
Easy one.

Create a sub-OU below the domain.  Add the user accounts of the "administrators" to this new OU.

Right click the OU and select Properties then Group Policy.  If you are running GPMC then select the Open button, if not then select the checkbox for Block Inheritance.  This will block all policies from above except Account Policies, which can't be blocked.

If you have GPMC and clicked the Open button then next, right click the OU in this console and select Block Inheritance from the context menu.

That's pretty much it.

If you need certain policies to apply then add them to the OU directly.

0
 
Netman66Commented:
Another thing I forgot to mention, was roaming profiles are setup on the Profiles tab on the user's property sheet on their account in AD.  Simply don't put a path in there for those admin users to prevent roaming profiles.  

As far as the Group Policy issues, my last post is one way to correct this.

0
 
SunshineVKCommented:
Hi!! For the answer to your question
" How can I create a group of users that aren't affected by the default domain group policy? ", i would suggest the following
(1) Create a Group called supervisors.
(2) All all the supervisors in that group.
(3) In the Default Domain Policy (in which u have all the settings defined) Deny access to this Supervisor group.
(4) Create a new policy( e.g. super policy) , the way you want it for Supervisors & apply it at the domain level itslef.
(5) In this newly created super policy remove the permission for Apply Group Policy for Domain Users & add the group supervisor (craeted in Step 1) with Read Group Policy & appply Group Policy rights.
Foe sucessful application of GPO , Read & Apply security settign of a GPO have to be enabled. If either of them is unchecked or deny GPO will not work. Also remember DENY takes precedence.

OR

(1) Create a OU (e.g. Super).
(2) Move all the Superviors here
(3) Create a seperate policy (Super Policy) of the settings required.
(4) Block Inhertiance of all Policies on this OU
(5) apply the Super Policy to this OU itslef.

It depends on the part of Group Policy settings (i.e. User Configuration or Computer Configuration ) have u configured. If the User COnfiguration part is configured then you can use either of the methods mentioned else if you have defined many settings in the Computer Configuration Part of the GPO it will be a hassel to add individual PC's to the security settings of the GPO & I would sugget usiing the method of craeting an OU & simply moving the supervisor & his PC there.

Pls let me knwo if this suggestion is of any help to you.

(5) Apply the
0
 
mikeleebrlaCommented:
my very simple solution will solve the question askers problem.  If you deny the read/apply gpo rights to any user, the GPO will not be applied, which is what the question asker wanted. I feel i deserve some points for the correct answer that i gave.
0
 
redseatechnologiesCommented:
In instances where there are multiple paths to achieve a solution, I will always recommend the best solution.

While your solution would have worked, I too also dont like applying deny rights on GPOs

Netman66's solution, in my opinion, was the best solution as it was a) workable, b) tidy and c) best practices

Feel free to comment if you agree or disagree and the moderator will take that into account when they close the question

Thanks

-red
EE Cleanup Volunteer
0
 
VenabiliCommented:
>> In instances where there are multiple paths to achieve a solution, I will always recommend the best solution.

Split also works in such cases and is an option here :)
0
 
redseatechnologiesCommented:
Very true Venabili, I will use a split if there is no clear "Best" answer

Here, however, there was :)

-red
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 2
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now