[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 219
  • Last Modified:

Windows 2003 Terminal Server in NT4 Domain Questions

Here is my issue:

I have an NT 4.0 Domain, that I can't upgrade for a variety of reasons. I have a Windows 2003 Terminal server that is a member of that domain. I need to:

1. Hide local drives from the terminal users, but not the Domain admin account. I played with the GPO user settings, but it affects the admin account as well. Without an AD domain controller and the ability to create an OU, how do I do it?

2. On the same token, how can I redirect the the terminal users files(documents & settings, desktops, etc) to be stored on the D drive, instead of c?  Without AD, the GPO doesn't  not seem to have the user folder redirection under the   userconfig\windows settings\ in the GPO editor. Am I missing it, or is there another way?

0
bepenterprises
Asked:
bepenterprises
  • 4
  • 3
1 Solution
 
artthegeekCommented:
1. Hide local drives:

Make sure you have a separate GPO for those rights/restrictions you want to apply to users & place it at the Domain or OU level.
Give those users Read permissions to the GPO (create a group, put them in it, give permissions to the group)
Don't give permissions to the Administrator.

GPOs will only apply to an object (user, group, server) if that object has Read permissions to it.

2. Redirect:
Assign the path manually by typing it into the "Profile Path" setting on the Profile tab of each user's properties.
0
 
bepenterprisesAuthor Commented:
Again, NT 4 Domain controller. Cannot create OU or a GPO at the domain controller.
0
 
Darwinian999Commented:
1. With an NT4 domain, you obviously can't use Group Policy, so you're stuck with local policies. Local policies apply to all users, including the administrator. There's no practical way to exclude Administrators from having local policy applied.

To hide the drives for users, you can change the value of "nodrives" in the profile of each of users[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] . The simplest way to do this for new users is to do it in the default user profile .

HideCalc is a great tool for creating .REG, .ADM and .KIX files for hiding drives. http://www.dabcc.com/DABCC/WebApplication/Aspx/dabcc.file.download.aspx?intFile=20

2. You can move the Documents & Settings folder to drive D: - http://support.microsoft.com/kb/322014/en-us
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
bepenterprisesAuthor Commented:
Darwinian999,

That's what I was afraid of that on the the Admin and local policies.

On item 2, I don't want to move them after each user login. If a domain user logs into the terminal server, I want their profile to be created on the d: drive. It sort of works if I set their profile path in their NT user config to a share on the terminal server, but after doing so, the domain admin logged into the terminal server does not have access to the users folder without taking ownership. Then, even if you set the owner back to the domain user, that user cannot gain access to the profile.
 
0
 
Darwinian999Commented:
Step 2 in http://support.microsoft.com/kb/322014/en-us describes a registry change that causes all new cached or local profiles to be created in the location that you specify.
0
 
bepenterprisesAuthor Commented:
OK, but when I change that key value to d:\documents & Settings, all new users logging in get the error that their profile cannot be loaded, and an error 1500 in the event viewer. What am I missing?
0
 
Darwinian999Commented:
Whenever I've done this, I've also done a search and replace in the registry to change the following, in the order listed:

C:\Documents   ->  D:\Documents
C:\DOC  ->  D:\DOC
%SystemDrive%\Documents  ->  D:\Documents

I do this on both values and data in the registry. You'll also need to create the folder "D:\Documents & Settings" with the appropriate permissions.

After doing this, I reboot and it works nicely.
0
 
Darwinian999Commented:
Ah, one other thing - copy the Default User and All Users folders to their new location on D:
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now