[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 231
  • Last Modified:

How do I setup a non-administrator user on a domain with roaming profile and folder redirection?

Hello Experts,

I've been puzzling away at this for a while, and think at least I have narrowed down what I am doing wrong.

On my little office network, I run Small Business Server 2003. All my staff are members of DOMAIN ADMINS, and have roaming profiles. I also redirect all DOMAIN ADMIN users MY DOCUMENTS to a specific folder so we all share the same documents.

Now I want to add a couple of users to the domain and NOT give them admin privilleges. So I made them members of the DOMAIN USERS group. I setup their roaming profiles the same way I had setup all other users. I also set a specific my documents folder redirection so that DOMAIN USERS would have theirs under \\server\users\%username%\mydocs

The problem is, when I log in as one of these DOMAIN USERS, their roaming profile doesn't work, and neither does the folder redirection.

If I make them a member of DOMAIN ADMINS, their roaming profile works fine, and they get redirected to the my docs that all the other DOMAIN ADMINS get directed to.

So what am I doing wrong? Why can't I set these two simple things for these users?
0
OzoneFriendly
Asked:
OzoneFriendly
  • 5
  • 4
  • 3
1 Solution
 
Jay_Jay70Commented:
Hi OzoneFriendly,

where is your policy sitting that controls folder redirection? have you got security filtering set up thats only allowing domaina admins to apply this? are you users still under the same OU
0
 
OzoneFriendlyAuthor Commented:
Hi Jay Jay,

You might have to treat me like an idiot here; I have a created a domain policy entry in "Group Policy Management", which I call "Desktop Policy". The only thing I set in that policy is the folder redirection.

The roaming profile folders are configured in the user setup.

I have played around adding security groups to the security filtering section, but it doesn't seem to make any difference. I'm not sure if its even a policy issue, as the roaming profiles don't work either, and as far as I understand, they are not a policy issue?

If I just have "authenticated users" in the security filtering, that should apply to every user that logs onto the domain, right?

What do you mean by "OU" ?
0
 
Jay_Jay70Commented:
an OU is an organisational unit within Active Directory in which you keep users and groups and apply policies to, i am not at all familiar with SBS server but i will try and find someone who is for you
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
OzoneFriendlyAuthor Commented:
Hello again,

Thanks for your help thus far. I have found the OU's you are talking about. I've never looked into them.

As far as I can tell, all my DOMAIN ADMINS users are NOT in an OU, but the user I am trying to setup IS listed under one.

I'm looking at a couple of things and will make further notes.
0
 
Jay_Jay70Commented:
no worries i just dont want to throw you in the wrong direction  :)
0
 
OzoneFriendlyAuthor Commented:
Okay, so in ACTIVE DIRECTORY USERS AND COMPUTERS, I have;

shift.local (my domain)
|
|
--->MyBusiness
|     |
|     |
|     --->Users
|        |
|        |
|        ---->SBSUsers
|    
|    
--->Users

There is only one actual user in SBSUsers, Kylie. All my other users are inside the shift.local/users folder.

I have only two of these "special case" users, Kylie and Darren, who I want to be other than DOMAIN ADMINS. Darren is listed with all the other accounts in shift.local/users. Either way, if I log in as Kylie or Darren, I don't get access to their roaming profile.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
First, why on earth are all your users Domain Admins?  That is really not a good idea even in an IT consultancy.  There should only ever be one network administrator... you know... too many cooks... etc.!

Then, you apparently haven't discovered the User Templates yet???  This is how permissions are created and granted in SBS-Land.  You should NOT create these manually, and for the most part it looks like your roaming profile configuration isn't right.

SBS is a PRE-CONFIGURED environment.  It does not have a lot of the flexibility found in regular Server 2003's because in order to keep all of the server components working happily together, you need to configure everything with the wizards.  

My Documents folder redirection is also handled by the Configure My Documents Folder Redirection Wizard (good name, huh?).  This can be found in the Users area of the Server Management Console.

The default location for user's My Documents is \\Servername\Users\%UserName%\My Documents.  However, you do not need to do anything to configure this other than running that wizard.  Of course, if you've manually configured things the wizards probably won't work now.  I'd suggest that you undo what you manually configured.

Each user should have their OWN My Documents Folder.  Then there will also be a SHARED documents area automatically created in SharePoint (http://companyweb) which is a MUCH better place for company-wide shared documents.  

All of this only happens when you use the appropriate wizards which you should have first seen in the To-Do list during the initial installation.  The one you need now is the Add-User wizard which will allow you to create standard domain users by applying the "Users" template to them.

Please review http://sbsurl.com/itpro to see why I'm sounding like a crazy geek with all of this stuff.  It will explain why SBS is different and why you need to do things the SBS way.

Then, go to http://sbsurl.com/techguide for your complete resource for planning, deploying and managing your SBS.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Since I see you posted that at the same time that I did... you need to move all of the users you created to \MyBusiness\users\SBSUsers.  Then run the Change User Permissions wizard and reapply the Administrator Template to those who you want as Admins.  This will fix most of your problems with user accounts.

See the paper I linked above (http://sbsurl.com/itpro) which tells you not to mess with the default Active Directory Structure.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Finally, if you DO want to use roaming profiles, you need to do it the SBS way as well.  See http://sbsurl.com/postinstall for details (under Roaming Profiles).  But you'll note that they state that you should not include My Documents in the roaming profile.

Jeff
TechSoEasy
0
 
OzoneFriendlyAuthor Commented:
Hi Jeff,

Sorry I posted the question in the wrong section. For some reason I didn't think there was a SBS area. I'll not do that again.

Also sorry for asking stupid questions. It is how I best learn things - I just do them until I get them right.

I've moved all the users into the SBSUsers section.

I haven't messed with any of the exisiting, working accounts just yet.

I have deleted the two accounts I am having trouble with and re-created them with the wizard, making them USERS only.

I read up on setting up roaming profiles, and it seems there isn't too much scariness there; I had configured it the SBS way, although I hadn't excluded MY DOCUMENTS. I have now. :-)

I've just got to wait for a couple of things to get sorted here, and I'll try logging into the newly re-created user profiles and see how far  I get.

I might go ask another question related to the my documents issue now while I wait.

0
 
OzoneFriendlyAuthor Commented:
After all that, the same problem exists. Users who are not domain admins do not have working roaming profiles. (I'll tackle the my docs thing after I fix the profiles issue)
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I didn't think the question was stupid... no need to apologize.  Sorry if my answer came off as attitudinal... it was at the end of a tough day... nothing personal.

If users are going to log into various workstations, you probably need to make the "Domain Users" group a member of the local administrators group on each machine.  Give that a try and then see if it works for you.

Jeff
TechSoEasy
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now