?
Solved

Roaming Profiles

Posted on 2005-02-25
13
Medium Priority
?
417 Views
Last Modified: 2010-04-19
I'm creating roaming profiles for a client with one domain controller running Windows Server 2003. They wanted it setup so that nobody gets attached to their computer and every user, no matter which computer they use to logon, has a mapped drive to their own folder on the server. In addition they wanted obody to be able to do anything with their local C drive. What I did is create a shared Profiles folder with a sub-folder for each user. When they login, a logon script maps the drive to their personal folder. I also made it so that the local C drive is hidden from any user logging in to the domain. Now the client wants only the supervisors to be able to access their local C drive and have non-roaming profiles. The problem is that I did everything using Group policy for the domain and there's only one domain and one server. How can I create a group of users that aren't affected by the default domain group policy? Or is there a work-around which would allow me to have it set up the same way I do for the rest of the users? Thanks in advance
0
Comment
Question by:bluntz48
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +4
13 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 13405241
on the default domain policy deny the "read" and "apply group policy" rights for that user.
0
 
LVL 15

Expert Comment

by:sr75
ID: 13409103
You can create more than one Group Policy.  I never did like the Idea of using deny on the default domain policy.  Reset the default domain policy back to the way it was.  Also create a security group of all the individuals that get to see their C:\ drive so you just deny that group.
0
 
LVL 35

Expert Comment

by:Nirmal Sharma
ID: 13410095
>>>Now the client wants only the supervisors to be able to access their local C drive and have non-roaming profiles. The problem is that I did everything using Group policy for the domain and there's only one domain and one server. How can I create a group of users that aren't affected by the default domain group policy? Or is there a work-around which would allow me to have it set up the same way I do for the rest of the users? Thanks in advance

First question...

Is C:\ drive System Drive ? I mean to say did they install Windows on this drive ? If it is a System Drive then ordinary users can't access or write anything on it except the member of listed groups.

Who are supervisors ?
Are they member of the following groups: -
      Domain Admins
      Enterprise Admins
      Administrators Group.

Where you have speicifed settings to hide C:\ drive ? I mean to say Did you create a new group policy or you have configured settings in "Default Domain Policy" or "Domain Security Policy ?

If they are the member of these groups then they already have access to it. If they are not then you need to make them member of the above groups.

Let us know.

Thanks
SystmProg
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 13412575
Easy one.

Create a sub-OU below the domain.  Add the user accounts of the "administrators" to this new OU.

Right click the OU and select Properties then Group Policy.  If you are running GPMC then select the Open button, if not then select the checkbox for Block Inheritance.  This will block all policies from above except Account Policies, which can't be blocked.

If you have GPMC and clicked the Open button then next, right click the OU in this console and select Block Inheritance from the context menu.

That's pretty much it.

If you need certain policies to apply then add them to the OU directly.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 13430317
Another thing I forgot to mention, was roaming profiles are setup on the Profiles tab on the user's property sheet on their account in AD.  Simply don't put a path in there for those admin users to prevent roaming profiles.  

As far as the Group Policy issues, my last post is one way to correct this.

0
 
LVL 4

Expert Comment

by:SunshineVK
ID: 13498231
Hi!! For the answer to your question
" How can I create a group of users that aren't affected by the default domain group policy? ", i would suggest the following
(1) Create a Group called supervisors.
(2) All all the supervisors in that group.
(3) In the Default Domain Policy (in which u have all the settings defined) Deny access to this Supervisor group.
(4) Create a new policy( e.g. super policy) , the way you want it for Supervisors & apply it at the domain level itslef.
(5) In this newly created super policy remove the permission for Apply Group Policy for Domain Users & add the group supervisor (craeted in Step 1) with Read Group Policy & appply Group Policy rights.
Foe sucessful application of GPO , Read & Apply security settign of a GPO have to be enabled. If either of them is unchecked or deny GPO will not work. Also remember DENY takes precedence.

OR

(1) Create a OU (e.g. Super).
(2) Move all the Superviors here
(3) Create a seperate policy (Super Policy) of the settings required.
(4) Block Inhertiance of all Policies on this OU
(5) apply the Super Policy to this OU itslef.

It depends on the part of Group Policy settings (i.e. User Configuration or Computer Configuration ) have u configured. If the User COnfiguration part is configured then you can use either of the methods mentioned else if you have defined many settings in the Computer Configuration Part of the GPO it will be a hassel to add individual PC's to the security settings of the GPO & I would sugget usiing the method of craeting an OU & simply moving the supervisor & his PC there.

Pls let me knwo if this suggestion is of any help to you.

(5) Apply the
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 16495071
my very simple solution will solve the question askers problem.  If you deny the read/apply gpo rights to any user, the GPO will not be applied, which is what the question asker wanted. I feel i deserve some points for the correct answer that i gave.
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 16495237
In instances where there are multiple paths to achieve a solution, I will always recommend the best solution.

While your solution would have worked, I too also dont like applying deny rights on GPOs

Netman66's solution, in my opinion, was the best solution as it was a) workable, b) tidy and c) best practices

Feel free to comment if you agree or disagree and the moderator will take that into account when they close the question

Thanks

-red
EE Cleanup Volunteer
0
 
LVL 20

Expert Comment

by:Venabili
ID: 16496685
>> In instances where there are multiple paths to achieve a solution, I will always recommend the best solution.

Split also works in such cases and is an option here :)
0
 
LVL 39

Expert Comment

by:redseatechnologies
ID: 16497072
Very true Venabili, I will use a split if there is no clear "Best" answer

Here, however, there was :)

-red
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question