OzoneFriendly
asked on
How do I setup a non-administrator user on a domain with roaming profile and folder redirection?
Hello Experts,
I've been puzzling away at this for a while, and think at least I have narrowed down what I am doing wrong.
On my little office network, I run Small Business Server 2003. All my staff are members of DOMAIN ADMINS, and have roaming profiles. I also redirect all DOMAIN ADMIN users MY DOCUMENTS to a specific folder so we all share the same documents.
Now I want to add a couple of users to the domain and NOT give them admin privilleges. So I made them members of the DOMAIN USERS group. I setup their roaming profiles the same way I had setup all other users. I also set a specific my documents folder redirection so that DOMAIN USERS would have theirs under \\server\users\%username%\
The problem is, when I log in as one of these DOMAIN USERS, their roaming profile doesn't work, and neither does the folder redirection.
If I make them a member of DOMAIN ADMINS, their roaming profile works fine, and they get redirected to the my docs that all the other DOMAIN ADMINS get directed to.
So what am I doing wrong? Why can't I set these two simple things for these users?
I've been puzzling away at this for a while, and think at least I have narrowed down what I am doing wrong.
On my little office network, I run Small Business Server 2003. All my staff are members of DOMAIN ADMINS, and have roaming profiles. I also redirect all DOMAIN ADMIN users MY DOCUMENTS to a specific folder so we all share the same documents.
Now I want to add a couple of users to the domain and NOT give them admin privilleges. So I made them members of the DOMAIN USERS group. I setup their roaming profiles the same way I had setup all other users. I also set a specific my documents folder redirection so that DOMAIN USERS would have theirs under \\server\users\%username%\
The problem is, when I log in as one of these DOMAIN USERS, their roaming profile doesn't work, and neither does the folder redirection.
If I make them a member of DOMAIN ADMINS, their roaming profile works fine, and they get redirected to the my docs that all the other DOMAIN ADMINS get directed to.
So what am I doing wrong? Why can't I set these two simple things for these users?
ASKER
Hi Jay Jay,
You might have to treat me like an idiot here; I have a created a domain policy entry in "Group Policy Management", which I call "Desktop Policy". The only thing I set in that policy is the folder redirection.
The roaming profile folders are configured in the user setup.
I have played around adding security groups to the security filtering section, but it doesn't seem to make any difference. I'm not sure if its even a policy issue, as the roaming profiles don't work either, and as far as I understand, they are not a policy issue?
If I just have "authenticated users" in the security filtering, that should apply to every user that logs onto the domain, right?
What do you mean by "OU" ?
You might have to treat me like an idiot here; I have a created a domain policy entry in "Group Policy Management", which I call "Desktop Policy". The only thing I set in that policy is the folder redirection.
The roaming profile folders are configured in the user setup.
I have played around adding security groups to the security filtering section, but it doesn't seem to make any difference. I'm not sure if its even a policy issue, as the roaming profiles don't work either, and as far as I understand, they are not a policy issue?
If I just have "authenticated users" in the security filtering, that should apply to every user that logs onto the domain, right?
What do you mean by "OU" ?
an OU is an organisational unit within Active Directory in which you keep users and groups and apply policies to, i am not at all familiar with SBS server but i will try and find someone who is for you
ASKER
Hello again,
Thanks for your help thus far. I have found the OU's you are talking about. I've never looked into them.
As far as I can tell, all my DOMAIN ADMINS users are NOT in an OU, but the user I am trying to setup IS listed under one.
I'm looking at a couple of things and will make further notes.
Thanks for your help thus far. I have found the OU's you are talking about. I've never looked into them.
As far as I can tell, all my DOMAIN ADMINS users are NOT in an OU, but the user I am trying to setup IS listed under one.
I'm looking at a couple of things and will make further notes.
no worries i just dont want to throw you in the wrong direction :)
ASKER
Okay, so in ACTIVE DIRECTORY USERS AND COMPUTERS, I have;
shift.local (my domain)
|
|
--->MyBusiness
| |
| |
| --->Users
| |
| |
| ---->SBSUsers
|
|
--->Users
There is only one actual user in SBSUsers, Kylie. All my other users are inside the shift.local/users folder.
I have only two of these "special case" users, Kylie and Darren, who I want to be other than DOMAIN ADMINS. Darren is listed with all the other accounts in shift.local/users. Either way, if I log in as Kylie or Darren, I don't get access to their roaming profile.
shift.local (my domain)
|
|
--->MyBusiness
| |
| |
| --->Users
| |
| |
| ---->SBSUsers
|
|
--->Users
There is only one actual user in SBSUsers, Kylie. All my other users are inside the shift.local/users folder.
I have only two of these "special case" users, Kylie and Darren, who I want to be other than DOMAIN ADMINS. Darren is listed with all the other accounts in shift.local/users. Either way, if I log in as Kylie or Darren, I don't get access to their roaming profile.
First, why on earth are all your users Domain Admins? That is really not a good idea even in an IT consultancy. There should only ever be one network administrator... you know... too many cooks... etc.!
Then, you apparently haven't discovered the User Templates yet??? This is how permissions are created and granted in SBS-Land. You should NOT create these manually, and for the most part it looks like your roaming profile configuration isn't right.
SBS is a PRE-CONFIGURED environment. It does not have a lot of the flexibility found in regular Server 2003's because in order to keep all of the server components working happily together, you need to configure everything with the wizards.
My Documents folder redirection is also handled by the Configure My Documents Folder Redirection Wizard (good name, huh?). This can be found in the Users area of the Server Management Console.
The default location for user's My Documents is \\Servername\Users\%UserNa
Each user should have their OWN My Documents Folder. Then there will also be a SHARED documents area automatically created in SharePoint (http://companyweb) which is a MUCH better place for company-wide shared documents.
All of this only happens when you use the appropriate wizards which you should have first seen in the To-Do list during the initial installation. The one you need now is the Add-User wizard which will allow you to create standard domain users by applying the "Users" template to them.
Please review http://sbsurl.com/itpro to see why I'm sounding like a crazy geek with all of this stuff. It will explain why SBS is different and why you need to do things the SBS way.
Then, go to http://sbsurl.com/techguide for your complete resource for planning, deploying and managing your SBS.
Jeff
TechSoEasy
Then, you apparently haven't discovered the User Templates yet??? This is how permissions are created and granted in SBS-Land. You should NOT create these manually, and for the most part it looks like your roaming profile configuration isn't right.
SBS is a PRE-CONFIGURED environment. It does not have a lot of the flexibility found in regular Server 2003's because in order to keep all of the server components working happily together, you need to configure everything with the wizards.
My Documents folder redirection is also handled by the Configure My Documents Folder Redirection Wizard (good name, huh?). This can be found in the Users area of the Server Management Console.
The default location for user's My Documents is \\Servername\Users\%UserNa
Each user should have their OWN My Documents Folder. Then there will also be a SHARED documents area automatically created in SharePoint (http://companyweb) which is a MUCH better place for company-wide shared documents.
All of this only happens when you use the appropriate wizards which you should have first seen in the To-Do list during the initial installation. The one you need now is the Add-User wizard which will allow you to create standard domain users by applying the "Users" template to them.
Please review http://sbsurl.com/itpro to see why I'm sounding like a crazy geek with all of this stuff. It will explain why SBS is different and why you need to do things the SBS way.
Then, go to http://sbsurl.com/techguide for your complete resource for planning, deploying and managing your SBS.
Jeff
TechSoEasy
Since I see you posted that at the same time that I did... you need to move all of the users you created to \MyBusiness\users\SBSUsers
See the paper I linked above (http://sbsurl.com/itpro) which tells you not to mess with the default Active Directory Structure.
Jeff
TechSoEasy
See the paper I linked above (http://sbsurl.com/itpro) which tells you not to mess with the default Active Directory Structure.
Jeff
TechSoEasy
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Jeff,
Sorry I posted the question in the wrong section. For some reason I didn't think there was a SBS area. I'll not do that again.
Also sorry for asking stupid questions. It is how I best learn things - I just do them until I get them right.
I've moved all the users into the SBSUsers section.
I haven't messed with any of the exisiting, working accounts just yet.
I have deleted the two accounts I am having trouble with and re-created them with the wizard, making them USERS only.
I read up on setting up roaming profiles, and it seems there isn't too much scariness there; I had configured it the SBS way, although I hadn't excluded MY DOCUMENTS. I have now. :-)
I've just got to wait for a couple of things to get sorted here, and I'll try logging into the newly re-created user profiles and see how far I get.
I might go ask another question related to the my documents issue now while I wait.
Sorry I posted the question in the wrong section. For some reason I didn't think there was a SBS area. I'll not do that again.
Also sorry for asking stupid questions. It is how I best learn things - I just do them until I get them right.
I've moved all the users into the SBSUsers section.
I haven't messed with any of the exisiting, working accounts just yet.
I have deleted the two accounts I am having trouble with and re-created them with the wizard, making them USERS only.
I read up on setting up roaming profiles, and it seems there isn't too much scariness there; I had configured it the SBS way, although I hadn't excluded MY DOCUMENTS. I have now. :-)
I've just got to wait for a couple of things to get sorted here, and I'll try logging into the newly re-created user profiles and see how far I get.
I might go ask another question related to the my documents issue now while I wait.
ASKER
After all that, the same problem exists. Users who are not domain admins do not have working roaming profiles. (I'll tackle the my docs thing after I fix the profiles issue)
I didn't think the question was stupid... no need to apologize. Sorry if my answer came off as attitudinal... it was at the end of a tough day... nothing personal.
If users are going to log into various workstations, you probably need to make the "Domain Users" group a member of the local administrators group on each machine. Give that a try and then see if it works for you.
Jeff
TechSoEasy
If users are going to log into various workstations, you probably need to make the "Domain Users" group a member of the local administrators group on each machine. Give that a try and then see if it works for you.
Jeff
TechSoEasy
where is your policy sitting that controls folder redirection? have you got security filtering set up thats only allowing domaina admins to apply this? are you users still under the same OU