Solved

WINDOWS 2000 SERVER GROUP POLICY

Posted on 2006-10-19
17
174 Views
Last Modified: 2010-04-13
Hi I would like to set a group policy which would block users from saving documents to their local hd (need to save everything to a server to get a backup). Is it possible to do this and if so how? Many of the users are admins on their local machine.
thanks
0
Comment
Question by:dwoodfie74
  • 3
  • 3
  • 3
  • +4
17 Comments
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17768072
You need to set the roaming profile to the user profile and point the user to the server.
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17768099
How to create a roaming user profile in Windows 2000

http://support.microsoft.com/kb/302082

How to configure a user account to use a roaming user profile in Windows Server 2003, Windows 2000 Server, or Windows NT 4.0

http://support.microsoft.com/kb/316353

Please follow the document and get back to us if any issues.

regards
Gopal Krishna K
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17768231
roaming profiles have NOTHING to do with where users save their documents. Roaming profiles are for user settings (favorites, desktop settings etc), NOT for saving documents.

you need to look into folder redirection which will redirect the local 'my documents' to a network file server/share.  Do you have home directories setup?

one of the biggest reasons why roaming profiles are a horrible idea for mydocuments is simply loginin time.  Say a user has 4 GB of documents and you put this in the PROFILE, then at user login time 4 GB must be copied over the network.  Just imagine this going on at 9 am when everyone is trying to log in at once.

0
 
LVL 16

Expert Comment

by:kshays
ID: 17768365
Agree 100% with mike!

You should enable folder redirection on the my documents and application data if you are going to use roaming profiles.  Even if they are members of the local admins what is to keep them from saving to their computers?

0
 

Author Comment

by:dwoodfie74
ID: 17769273
I have a share setup to a public folder.  From the diversity of the anwsers what is the best way to go. Do I need to setup roaming and then folder redirect? Can I set this up for the whole domain or do I need to do it for each ou. If i set it up for the whole domain can I exclude some users? Point me in the right direction.
thanks for your help.
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17769361
The best way is to create a roaming profile and set the storage space in the server based on the number of users. Once this exceeds the max level then the user can always transfer some of the important files in the Resource server or as you said to the public folder with there user profile in it.

Note: make sure that even the public folder server is also backed up and also the Romaing profile server too.

let me know if this is good suggestion

regards
Gopal krishna K
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 125 total points
ID: 17769377
well as i mentioned and as kshays agreed, you REALLY need NOT to mix roaming profiles and user folders.  It would be best if you created two shares as below:

1.  \\server\profiles_share\username\
2.  \\server\user_files\username\

now you have two seperate places for roaming profiles and user files....

yes you can setup folder redirection for the whole domain and yes you can exlude some users.

http://technet2.microsoft.com/WindowsServer/en/library/60b2157c-aa5b-44f2-b045-b74d2fd1bf701033.mspx?mfr=true



are you SURE you want to enable roaming profiles? some people love it but others hate it.  i personally don't like it.  It seems to work well in theory but not in practice.  Unless you have users using multiple PCs, i wouldn't do it.

0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17769431
>>The best way is to create a roaming profile and set the storage space in the server based on the number of users.
i totally disagree,,,,, all this will do will cause WAY too much network traffic at login time since the users ENTIRE home folder will be copied at EVERY login.  Again, roaming profiles are for user settings, NOT user files.

>>Once this exceeds the max level then the user can always transfer some of the important files in the Resource server or as you said to the public folder with there user profile in it.
why not just put it on the file server in a home directory share (where it belongs) in the first place?  why have USERS manage where their data is?  That is just a nightmare waiting to happen.
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 125 total points
ID: 17769584
Cannot agree more here.  

I currently have all of my users as (roaming), but in my situation I need to though.  

I still think if you are going to go (roaming) then you MUST redirect the (my documents and application data) to a network share.  Heck, the users probably won't even know it's being redirected.  If you want, you can set quotas on the volume where the my documents are stored to manage the space, but wer'e talking about the "profile" folder instead here though.  Of course the desktop is included in the "profile" so if they slap a couple of hundred megs on their desktop then it might be slow logging in as well.

Public folder?  If this is just a public folder then it needs to be on a network drive anyway.  You can map the drive via login scripts, set quotas for the users on the volume also.

Let's take it one step at a time.  

1.  Do you want to setup roaming profiles?
yes- \\servername\profiles\%username%

2.  Need a public folder?
yes - map it via login for them.  Set quotas if needed.

Kevin
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 17770302
My 2Cents

Either of the suggestions will work, roaming profiles and/or folder redirection, using both would be my preferred method, however what if the user saves to C:\ or All Users\My Documents ??  dwoodfie74 I believe your biggest problem is that your users are Admins on their computers, you could setup Group Policies to Hide Drives or "LockDown" the system to some extent etc.. but a local admin could circumvent this, if they know how.

Cheers
0
 
LVL 16

Expert Comment

by:kshays
ID: 17770497
All of my users are just domain users and that's it.  :)  Well I take that back, there is 1 group that has access to TS, but that's all.

Kevin


0
 
LVL 2

Expert Comment

by:mightofnight
ID: 17773998
[Version]
Signature=$CHICAGO$

[DefaultInstall]
AddReg=Reg.Settings

[Reg.Settings]
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders,Personal,0x20000,"%PERSONAL%"
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders,Favorites,0x20000,"%FAVORITES%"

[Strings]
PERSONAL = "\\(server or dfs location)\files\Individual shares\%USERNAME% - %COMPUTERNAME%\My Documents"
FAVORITES = "\\(server or dfs location)\files\Individual shares\%USERNAME% - %COMPUTERNAME%\Favorites"



Make a new file such as documents.inf and past the above in.  then right click on the file and select install logoff and log back on then move the documents over.  I also have this script set to copy internet explorer favroties.  I have the permission in this folder set so that domian users can create folders and then only domain admins and current owner have inherted rights to these folders.   This is an automated way of keeping other users out of documents with out manually settings permissions for each new folder.  Some times if the user doesn't have admin rights to their machine i get an error but it still works.  (i have never figured that one out).
0
 
LVL 2

Expert Comment

by:mightofnight
ID: 17774024
i should specify that this changes the location of the users mydocuments in case someone isn't familuar with registry settings. ALso i use username - computer name for the folders because we have some shared user names in our organization yet.  I even do this with our roaming profiles since loading the users documents over a remote connection can take for ever at times.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17783670
Just thought I would open my trap and voice agreement with Mike and Kev.....
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Migrate DFS role 3 714
VSS on host & VM 10 391
ClamAV for Old Windows 2000 Server 7 1,919
How to Test Com Ports on NT 4.0 Workstation 2 267
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now