Solved

SBS Essentials 2011 - Hot Desk, login, User profiles, Permissions

Posted on 2012-12-28
11
707 Views
Last Modified: 2013-02-04
I am migrating a peer network of some 6 XP and 6 W7 PCs into an SBS Essentials 2011 server. Several of the PCs have multiple users so I have used Pro Wiz to move their profiles to a new set of user names & Passwords on the server.

The client wants the users to hot-desk locally and remote access to any available computer. I have several access issues that I am currently working on:

1.    The profiles work but only on the PCs from which they came...... I need to have them appear on any PC.

2.    There are permission issues for the domain user names when running local software on the PCs. The XPs work better than the W7s. I get the following message: "The local policy of this system does not permit you to login interactively"


I'm needing some guidance on the best approach for these issues...

Thanks
0
Comment
Question by:Benview
  • 5
  • 4
  • 2
11 Comments
 
LVL 21

Assisted Solution

by:Larry Struckmeyer MVP
Larry Struckmeyer MVP earned 500 total points
ID: 38729035
Hi:

Any user should be able to logon to the domain from any station.  Unless you authorize/create Roaming Profiles, they will get a new local profile at every station.  So if your users move around (none of ours do) and they need the same desktop at every station, Roaming Profiles is the answer.  But don't just do this becuase you can.  You should only do it if you have a specific need.  This can create a lot of unnecessay traffic accross the network.

For remote access, each user that is going to connect to a given station must be given permission to do so.  The Wizards assign that to the station you connect them to, but if they want/need access to a different one you can assign that in start - rclick computer - properties - remote access - add users (or perhaps by GPO).

As for running software locally... can you give an example?  Installing software/printers and such require elevated privlidges on any modern os, but opening Word, for example, should not.
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 38729274
Did you use the,Connect Wizard to connect those PCs? Profile migration from p2p is built in.

You can use Redirected Folders for data access across PCs.

Option: Run through users as standard and use Group Policy Preferences to deliver a domain user account to the Local Admin group on all PCs. That can be your UAC credentials account on 7.

Philip
0
 

Author Comment

by:Benview
ID: 38738613
Back to it after the New Year break....
Yes, I used the connect wizard and have been trying to set up redirected folders but with no success.

I have used gpupdate and gpresult, both seem to indicate all is well but the users' desktops just aren't following them.

I have used a folder C:\ServerFolders\Folder Redirection.... but nothing ids being saved into it.

Any suggestions would be appreciated.....
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 38738649
The folder redirection gpo can take several restarts to take effect.  You can test all of that from the gpo console or with gpresult.  

Following them?  You mean to another computer?  That requires roaming profiles, which I discourage unless you have a very compelling need.
0
 

Author Comment

by:Benview
ID: 38739179
I May have misunderstood the difference between roaming profiles and folder redirection....
My reading lead me to believe that folder redirection superceeded roaming profiles as it enabled you to be selective as to the items that followed the users ie Desktop and Contacts, and leave the rest such as documents behind. My client wants the users to be able to remote access to any PC that may be available and at least have some comms and be it some limited functionality.

It seems as though I may have it wrong......... comments?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 38

Expert Comment

by:Philip Elder
ID: 38739581
Roaming profiles are a PITA.

Redirected Folders tied into Offline Files works pretty good. It requires an understanding of how things work so that one can be prepared when/if a migration is required to a new redirected folder server.

Philip
0
 
LVL 21

Expert Comment

by:Larry Struckmeyer MVP
ID: 38739889
Just for clarity, are you saying that in your environment there is not a one to one relationship between users and computers?  We normally see remote access to either the users regular desktop, or, if that is not possible, a Remote Desktop Services server (fka Terminal Server).

I discourage offline files as well, except for the traveling users that take their mobile systems out of the office and are expected to have all "their" data, in which case you must encrypt it.  Haveing all this stuff zinging around the wires everytime a use logs on/off just adds network traffic.

However, the wizards in Essentials should offer all you need.  They offer the option to redirect any portion of the user experience for Windows 7, but is more limited for XP and older.  See the chart in this document: (and review the document for a better understanding of redirected folders)

http://technet.microsoft.com/en-us/library/cc732275.aspx

Therefore, my understanding of your situation is:  You have more users than computers, and you want each user to have their profile available from any computer.  If you run the Essentials Wizard for each part of the profile each user should find his profile (fewer items for XP) moved to the server after two or more logons from the original system.  Following a successful move, that same user should get the same profile (minus the stuff from XP that cannot be redirected) on any computer.
0
 

Author Comment

by:Benview
ID: 38742491
fl_flyfishing

You asked previously:

As for running software locally... can you give an example?  Installing software/printers and such require elevated privlidges on any modern os, but opening Word, for example, should not.

I'm still working on this.... Each PC has a software app that apparently accesses several file components to get going.
It launches OK IF:
        The user is the domain user noted at the time the PC was connected to the
        SBS-E server using the connection wizard.
It fails IF:
        The user is another domain user who has not had a previous association with that PC.

Windows 7 PCs display a dialogue saying that the application has stopped working.
Windows XP PCs display a stop window and want to sent a report to Microsoft... the report contains info relating to the appname.exe, Microsoft.Visualbasic and system.io.fileloadexception.

I'm trying to find perhaps a security setting to change on the local machine that will allow any domain users to launch local software.

Any thoughts????
0
 
LVL 21

Accepted Solution

by:
Larry Struckmeyer MVP earned 500 total points
ID: 38742508
I assume this is a specialized or custom type application that was written in a way to demand full control of the files and folders it users when the .exe is run.  Bad programing, and many folks would just allow ever user to be a local admin.

But, with careful analysis you should be able to figure out which files/folders are affected by this app and grant everyone full control over just those files/folders.
0
 

Author Comment

by:Benview
ID: 38746131
I have given the users full access to the top of the drive but still no luck.... any trick to following the file sequence when starting an app?
0
 

Author Comment

by:Benview
ID: 38749572
I have found that by changing the advanced property  on the Short Cut to run-as-administrator then the software will run.

So, on some PCs the software will run off the Short Cut in default mode, whilst others require the run-as-administrator box checked.

Can someone tell just what is modified behind the sceens by checking this box so I can make a more  appropriate change to user permissions.

Thanks
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now