Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

WINDOWS 2000 SERVER GROUP POLICY

Posted on 2006-10-19
17
179 Views
Last Modified: 2010-04-13
Hi I would like to set a group policy which would block users from saving documents to their local hd (need to save everything to a server to get a backup). Is it possible to do this and if so how? Many of the users are admins on their local machine.
thanks
0
Comment
Question by:dwoodfie74
  • 3
  • 3
  • 3
  • +4
17 Comments
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17768072
You need to set the roaming profile to the user profile and point the user to the server.
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17768099
How to create a roaming user profile in Windows 2000

http://support.microsoft.com/kb/302082

How to configure a user account to use a roaming user profile in Windows Server 2003, Windows 2000 Server, or Windows NT 4.0

http://support.microsoft.com/kb/316353

Please follow the document and get back to us if any issues.

regards
Gopal Krishna K
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17768231
roaming profiles have NOTHING to do with where users save their documents. Roaming profiles are for user settings (favorites, desktop settings etc), NOT for saving documents.

you need to look into folder redirection which will redirect the local 'my documents' to a network file server/share.  Do you have home directories setup?

one of the biggest reasons why roaming profiles are a horrible idea for mydocuments is simply loginin time.  Say a user has 4 GB of documents and you put this in the PROFILE, then at user login time 4 GB must be copied over the network.  Just imagine this going on at 9 am when everyone is trying to log in at once.

0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 16

Expert Comment

by:kshays
ID: 17768365
Agree 100% with mike!

You should enable folder redirection on the my documents and application data if you are going to use roaming profiles.  Even if they are members of the local admins what is to keep them from saving to their computers?

0
 

Author Comment

by:dwoodfie74
ID: 17769273
I have a share setup to a public folder.  From the diversity of the anwsers what is the best way to go. Do I need to setup roaming and then folder redirect? Can I set this up for the whole domain or do I need to do it for each ou. If i set it up for the whole domain can I exclude some users? Point me in the right direction.
thanks for your help.
0
 
LVL 9

Expert Comment

by:gopal_krishna
ID: 17769361
The best way is to create a roaming profile and set the storage space in the server based on the number of users. Once this exceeds the max level then the user can always transfer some of the important files in the Resource server or as you said to the public folder with there user profile in it.

Note: make sure that even the public folder server is also backed up and also the Romaing profile server too.

let me know if this is good suggestion

regards
Gopal krishna K
0
 
LVL 25

Accepted Solution

by:
mikeleebrla earned 125 total points
ID: 17769377
well as i mentioned and as kshays agreed, you REALLY need NOT to mix roaming profiles and user folders.  It would be best if you created two shares as below:

1.  \\server\profiles_share\username\
2.  \\server\user_files\username\

now you have two seperate places for roaming profiles and user files....

yes you can setup folder redirection for the whole domain and yes you can exlude some users.

http://technet2.microsoft.com/WindowsServer/en/library/60b2157c-aa5b-44f2-b045-b74d2fd1bf701033.mspx?mfr=true



are you SURE you want to enable roaming profiles? some people love it but others hate it.  i personally don't like it.  It seems to work well in theory but not in practice.  Unless you have users using multiple PCs, i wouldn't do it.

0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 17769431
>>The best way is to create a roaming profile and set the storage space in the server based on the number of users.
i totally disagree,,,,, all this will do will cause WAY too much network traffic at login time since the users ENTIRE home folder will be copied at EVERY login.  Again, roaming profiles are for user settings, NOT user files.

>>Once this exceeds the max level then the user can always transfer some of the important files in the Resource server or as you said to the public folder with there user profile in it.
why not just put it on the file server in a home directory share (where it belongs) in the first place?  why have USERS manage where their data is?  That is just a nightmare waiting to happen.
0
 
LVL 16

Assisted Solution

by:kshays
kshays earned 125 total points
ID: 17769584
Cannot agree more here.  

I currently have all of my users as (roaming), but in my situation I need to though.  

I still think if you are going to go (roaming) then you MUST redirect the (my documents and application data) to a network share.  Heck, the users probably won't even know it's being redirected.  If you want, you can set quotas on the volume where the my documents are stored to manage the space, but wer'e talking about the "profile" folder instead here though.  Of course the desktop is included in the "profile" so if they slap a couple of hundred megs on their desktop then it might be slow logging in as well.

Public folder?  If this is just a public folder then it needs to be on a network drive anyway.  You can map the drive via login scripts, set quotas for the users on the volume also.

Let's take it one step at a time.  

1.  Do you want to setup roaming profiles?
yes- \\servername\profiles\%username%

2.  Need a public folder?
yes - map it via login for them.  Set quotas if needed.

Kevin
0
 
LVL 29

Expert Comment

by:matrixnz
ID: 17770302
My 2Cents

Either of the suggestions will work, roaming profiles and/or folder redirection, using both would be my preferred method, however what if the user saves to C:\ or All Users\My Documents ??  dwoodfie74 I believe your biggest problem is that your users are Admins on their computers, you could setup Group Policies to Hide Drives or "LockDown" the system to some extent etc.. but a local admin could circumvent this, if they know how.

Cheers
0
 
LVL 16

Expert Comment

by:kshays
ID: 17770497
All of my users are just domain users and that's it.  :)  Well I take that back, there is 1 group that has access to TS, but that's all.

Kevin


0
 
LVL 2

Expert Comment

by:mightofnight
ID: 17773998
[Version]
Signature=$CHICAGO$

[DefaultInstall]
AddReg=Reg.Settings

[Reg.Settings]
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders,Personal,0x20000,"%PERSONAL%"
HKCU,Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders,Favorites,0x20000,"%FAVORITES%"

[Strings]
PERSONAL = "\\(server or dfs location)\files\Individual shares\%USERNAME% - %COMPUTERNAME%\My Documents"
FAVORITES = "\\(server or dfs location)\files\Individual shares\%USERNAME% - %COMPUTERNAME%\Favorites"



Make a new file such as documents.inf and past the above in.  then right click on the file and select install logoff and log back on then move the documents over.  I also have this script set to copy internet explorer favroties.  I have the permission in this folder set so that domian users can create folders and then only domain admins and current owner have inherted rights to these folders.   This is an automated way of keeping other users out of documents with out manually settings permissions for each new folder.  Some times if the user doesn't have admin rights to their machine i get an error but it still works.  (i have never figured that one out).
0
 
LVL 2

Expert Comment

by:mightofnight
ID: 17774024
i should specify that this changes the location of the users mydocuments in case someone isn't familuar with registry settings. ALso i use username - computer name for the folders because we have some shared user names in our organization yet.  I even do this with our roaming profiles since loading the users documents over a remote connection can take for ever at times.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17783670
Just thought I would open my trap and voice agreement with Mike and Kev.....
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question