Ritenour
asked on
Group policy desktop on computers
Hi all, I have a windows 2003 domain. I am running group policys. What I would like to do is this...
I have lab systems I want to force a desktop on, but I want to do it by machine not by user so if a user goes to a different lab they will have a different desktop. Is this possible with goup policy and if so how ???
I have lab systems I want to force a desktop on, but I want to do it by machine not by user so if a user goes to a different lab they will have a different desktop. Is this possible with goup policy and if so how ???
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
D'uh - I knew I had forgotten something - good info kevin_uk05...
Then you will need to set correct mode: either Merge or Replace.
If I am getting your intentions right you will need to choose Replace.
Kris
If I am getting your intentions right you will need to choose Replace.
Kris
Hi Routnour
You should also apply these at different OU levels for e.g. Have a Computer OU that has common GPOs set for all Computer than below the Computers OU have your Different Lab OUs set out with the particula GPO set to each one.
i.e.
COMPUTERS OU - General Computers GPO
- LAB1 OU - LAB1 GPO
- LAB2 OU - LAB2 GPO
- Etc..
Cheers
You should also apply these at different OU levels for e.g. Have a Computer OU that has common GPOs set for all Computer than below the Computers OU have your Different Lab OUs set out with the particula GPO set to each one.
i.e.
COMPUTERS OU - General Computers GPO
- LAB1 OU - LAB1 GPO
- LAB2 OU - LAB2 GPO
- Etc..
Cheers
ASKER
This is great info, but how do I pull the icons to the desktop like I could on old 98 systems ?
Hi Ritenour
I think you're actually referring to roaming profiles, or more specific not using roaming profiles, basically if you don't have a roaming profile setup than when a user logs on to that system it will be unique. If you wish to use roaming profiles than what you do is place the shortcuts for e.g. on your lab machine into the All Users Profile that way it's only unique to the computer not to the user.
Cheers
I think you're actually referring to roaming profiles, or more specific not using roaming profiles, basically if you don't have a roaming profile setup than when a user logs on to that system it will be unique. If you wish to use roaming profiles than what you do is place the shortcuts for e.g. on your lab machine into the All Users Profile that way it's only unique to the computer not to the user.
Cheers
ASKER
The problem is that some teachers need to change the desktop when they want to, that is why I am trying to pull the desktop down from the network. So no matter who logs in they get the same desktop in one lab, but can still go to another lab and get a standard student desktop.
Rather than Roaming Profiles i would configure a loopback policy on the Lab OU and configure the User Policy (Folder Redirect) - From here you can redirect a users desktop from the server, so which ever user logs onto any machine within that lab will receive the same Icons. But if they logon to a machine outside the lab then they get their normal policies applied.
ASKER
I cannot do it on the computer alone. I brought the computer out of the computer group into a O.U. and applied the settings...nothing... it worded fine when I added a user to the same O.U. argggg.
The loopback policy within GPO allows for User GPOs to apply to computers. Therefore you would not have to add the individual user to the OU.
Have you followed my instructions at the top, Note #2?
Have you followed my instructions at the top, Note #2?
ASKER
Yes I did follow #2. When I bring in the computer to the OU and apply the settings it does not work. It did work when I put the user in the OU. I think I'm missing something.
Hi Ritenour
Can you explain exactly what you're trying to achieve? Because Group Policy doesnt' control Desktop/Start Menu Shortcuts at all, so although the information is good, it's not going to achieve what you require, if I'm reading your posts above correctly.
From your post you want to have desktop/start menu shortcuts unique to one particular machine or group of machines, than another group of machines. Is that correct?
If so all you need to do is copy the shortcuts to that group of machines C:\Documents and Settings\All Users\Desktop Profile, if your users only have user privleges than they can't change these shortcuts but they can still create shortcuts in their own profile i.e. C:\Documents and Settings\Username\Desktop. The All Users Profile doesn't roam with users it's dedicated to that machine. You could create a script to copy the shortcuts and place them into the All Users Profile from the server, you could also use Group Policy Startup Script to run the script, so that it runs with System Rights rather than the Users Rights which won't allow them to place icons into the All Users Profile.
Hope that made sense.
Cheers
Can you explain exactly what you're trying to achieve? Because Group Policy doesnt' control Desktop/Start Menu Shortcuts at all, so although the information is good, it's not going to achieve what you require, if I'm reading your posts above correctly.
From your post you want to have desktop/start menu shortcuts unique to one particular machine or group of machines, than another group of machines. Is that correct?
If so all you need to do is copy the shortcuts to that group of machines C:\Documents and Settings\All Users\Desktop Profile, if your users only have user privleges than they can't change these shortcuts but they can still create shortcuts in their own profile i.e. C:\Documents and Settings\Username\Desktop.
Hope that made sense.
Cheers
Ritenour
Try gpupdate /force from command line. Reboot is usually required when you move machine account to another OU.
Then try gpresult to make sure it picked up latest changes
Kris
Try gpupdate /force from command line. Reboot is usually required when you move machine account to another OU.
Then try gpresult to make sure it picked up latest changes
Kris
ASKER
The users do not have admin rights on the systems so when I try to copy a desktop down I get access denied. With the old windows poledit (98) this was not an issue. I just want to be able to pull a desktop to a computer no matter who ever is logged in. I dont want it to be usere dependent. So it has to be applied to the computer. This is for a school lab so you can see why I need to do this... unless someone has a better idea I would love to try it.
Hi Ritenour
If you run your script from Group Policy using Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) assign this to your group of computers, than the script will run before the user logs in and runs as a System User. The reason you could do this Windows 98 is because all Windows 9x Systems weren't able to run under NTFS, so they were very unsecure it would of also meant that they could make changes to the system at any time.
For your Group Policy Startup Script just use something similar to
Copy *.lnk "C:\Documents and Settings\All Users\Desktop\" /Y
When you setup the GroupPolicy just copy the .lnk files into the GroupPolicy GUID Folder so that you can use the relative link.
Cheers
If you run your script from Group Policy using Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) assign this to your group of computers, than the script will run before the user logs in and runs as a System User. The reason you could do this Windows 98 is because all Windows 9x Systems weren't able to run under NTFS, so they were very unsecure it would of also meant that they could make changes to the system at any time.
For your Group Policy Startup Script just use something similar to
Copy *.lnk "C:\Documents and Settings\All Users\Desktop\" /Y
When you setup the GroupPolicy just copy the .lnk files into the GroupPolicy GUID Folder so that you can use the relative link.
Cheers
ASKER
I have the links in a folder and tried the copy command, they dont show up.
Firstly check that the copy command has worked and the LNK files are now located in the All Users directory.
Secondley check the security on the LNK files in the All Users Desktop folder. Everyone should have at least read access to them, if not then you will need to add another line to your logon script.
Echo Y| cacls "C:\Documents and Settings\All Users\Desktop\*.*" /G Everyone:R
Secondley check the security on the LNK files in the All Users Desktop folder. Everyone should have at least read access to them, if not then you will need to add another line to your logon script.
Echo Y| cacls "C:\Documents and Settings\All Users\Desktop\*.*" /G Everyone:R
Actually, instead of
Echo Y| cacls "C:\Documents and Settings\All Users\Desktop\*.*" /G Everyone:R
use
Echo Y| cacls "C:\Documents and Settings\All Users\Desktop\*.*" /G Everyone:R Administrators:F
To ensure that Admins have full access.
Echo Y| cacls "C:\Documents and Settings\All Users\Desktop\*.*" /G Everyone:R
use
Echo Y| cacls "C:\Documents and Settings\All Users\Desktop\*.*" /G Everyone:R Administrators:F
To ensure that Admins have full access.
Did you sort this?
ASKER
No, I had to copy links from the desktop out to a server. I then took off what I didnt need and used a bat file to copy icons back. I have not found a way to make it work by machine. I will have time in the summer to see if I can work it out.
You can still alter settings in User Config.\Admin. Templates\Desktop and \Desktop\Active Desktop - and these will apply for the users in that GPO you edited... - wherever they logon.