SBS Essentials 2011 - Hot Desk, login, User profiles, Permissions

Benview used Ask the Experts™
I am migrating a peer network of some 6 XP and 6 W7 PCs into an SBS Essentials 2011 server. Several of the PCs have multiple users so I have used Pro Wiz to move their profiles to a new set of user names & Passwords on the server.

The client wants the users to hot-desk locally and remote access to any available computer. I have several access issues that I am currently working on:

1.    The profiles work but only on the PCs from which they came...... I need to have them appear on any PC.

2.    There are permission issues for the domain user names when running local software on the PCs. The XPs work better than the W7s. I get the following message: "The local policy of this system does not permit you to login interactively"

I'm needing some guidance on the best approach for these issues...

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Any user should be able to logon to the domain from any station.  Unless you authorize/create Roaming Profiles, they will get a new local profile at every station.  So if your users move around (none of ours do) and they need the same desktop at every station, Roaming Profiles is the answer.  But don't just do this becuase you can.  You should only do it if you have a specific need.  This can create a lot of unnecessay traffic accross the network.

For remote access, each user that is going to connect to a given station must be given permission to do so.  The Wizards assign that to the station you connect them to, but if they want/need access to a different one you can assign that in start - rclick computer - properties - remote access - add users (or perhaps by GPO).

As for running software locally... can you give an example?  Installing software/printers and such require elevated privlidges on any modern os, but opening Word, for example, should not.
Philip ElderTechnical Architect - HA/Compute/Storage

Did you use the,Connect Wizard to connect those PCs? Profile migration from p2p is built in.

You can use Redirected Folders for data access across PCs.

Option: Run through users as standard and use Group Policy Preferences to deliver a domain user account to the Local Admin group on all PCs. That can be your UAC credentials account on 7.



Back to it after the New Year break....
Yes, I used the connect wizard and have been trying to set up redirected folders but with no success.

I have used gpupdate and gpresult, both seem to indicate all is well but the users' desktops just aren't following them.

I have used a folder C:\ServerFolders\Folder Redirection.... but nothing ids being saved into it.

Any suggestions would be appreciated.....
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

The folder redirection gpo can take several restarts to take effect.  You can test all of that from the gpo console or with gpresult.  

Following them?  You mean to another computer?  That requires roaming profiles, which I discourage unless you have a very compelling need.


I May have misunderstood the difference between roaming profiles and folder redirection....
My reading lead me to believe that folder redirection superceeded roaming profiles as it enabled you to be selective as to the items that followed the users ie Desktop and Contacts, and leave the rest such as documents behind. My client wants the users to be able to remote access to any PC that may be available and at least have some comms and be it some limited functionality.

It seems as though I may have it wrong......... comments?
Philip ElderTechnical Architect - HA/Compute/Storage

Roaming profiles are a PITA.

Redirected Folders tied into Offline Files works pretty good. It requires an understanding of how things work so that one can be prepared when/if a migration is required to a new redirected folder server.

Just for clarity, are you saying that in your environment there is not a one to one relationship between users and computers?  We normally see remote access to either the users regular desktop, or, if that is not possible, a Remote Desktop Services server (fka Terminal Server).

I discourage offline files as well, except for the traveling users that take their mobile systems out of the office and are expected to have all "their" data, in which case you must encrypt it.  Haveing all this stuff zinging around the wires everytime a use logs on/off just adds network traffic.

However, the wizards in Essentials should offer all you need.  They offer the option to redirect any portion of the user experience for Windows 7, but is more limited for XP and older.  See the chart in this document: (and review the document for a better understanding of redirected folders)

Therefore, my understanding of your situation is:  You have more users than computers, and you want each user to have their profile available from any computer.  If you run the Essentials Wizard for each part of the profile each user should find his profile (fewer items for XP) moved to the server after two or more logons from the original system.  Following a successful move, that same user should get the same profile (minus the stuff from XP that cannot be redirected) on any computer.



You asked previously:

As for running software locally... can you give an example?  Installing software/printers and such require elevated privlidges on any modern os, but opening Word, for example, should not.

I'm still working on this.... Each PC has a software app that apparently accesses several file components to get going.
It launches OK IF:
        The user is the domain user noted at the time the PC was connected to the
        SBS-E server using the connection wizard.
It fails IF:
        The user is another domain user who has not had a previous association with that PC.

Windows 7 PCs display a dialogue saying that the application has stopped working.
Windows XP PCs display a stop window and want to sent a report to Microsoft... the report contains info relating to the appname.exe, Microsoft.Visualbasic and

I'm trying to find perhaps a security setting to change on the local machine that will allow any domain users to launch local software.

Any thoughts????
I assume this is a specialized or custom type application that was written in a way to demand full control of the files and folders it users when the .exe is run.  Bad programing, and many folks would just allow ever user to be a local admin.

But, with careful analysis you should be able to figure out which files/folders are affected by this app and grant everyone full control over just those files/folders.


I have given the users full access to the top of the drive but still no luck.... any trick to following the file sequence when starting an app?


I have found that by changing the advanced property  on the Short Cut to run-as-administrator then the software will run.

So, on some PCs the software will run off the Short Cut in default mode, whilst others require the run-as-administrator box checked.

Can someone tell just what is modified behind the sceens by checking this box so I can make a more  appropriate change to user permissions.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial