Re: Trying to create mandatory profiles....

The easiest thing to start with is REMOVE all users from the local
administrators group. If they aren't members of this they can't install new
software.

Point the users profile to a network location that is within their work
area, such as within their home folder. This is done from within ADUC, that
way if they damage something it only impacts their desktop.

Make the "All Users" folder read only for everyone but the Local
Administrators

This will get you a good start. I created mandatory roaming user profiles
for an airline hangar system and it took a while to get it all locked down.
I ended up getting some help from somebody writing some code to block users
from doing something's that you just couldn't lock down back in W2K.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jim" <jim@xxxxxxxx> wrote in message
news:uZeuj.88725$rc2.75399@xxxxxxxxxxxxxxxxxxxxxxxxx
I want to control the user desktops (not allow them to install stuff or
hose up the desktop for the next user) and I am trying to create mandatory
profiles on a Windows 2000 Server.

The Windows 2000 Server Administrator's Companion (Microsoft Press), on
page 276, says to...

"1. Create a user account with a descriptive name.... This is just a
blank account that you'll use to create a template for the customized
configuration.

2. Log on using the template account and create the desktop settings you
want, including applications, shortcuts, apperance, network connections,
printers, and so forth.

3. Log off the template account. Windows 2000 creates a user profile on
the system root drive in the Documents And Settings folder. ....

4. Log on using an administrator account. Open Active Directory Users and
Computers, and find the account for which you want to assign the
customized roaming profile."

I'll stop here....because I can't get passed step #2.

When I log off the server as Administrator and try to log in as my
template user, I get a "Logon Message" that says "The local plicy of this
system does not permit you to logon interactively."

So I logged back in as Administrator, and added the user to the Local
Security Settings>User Rights Assignment>Log On Locally policy setting. I
also checked that Users group was checked there.

I tried logging in locally as Template again and got the same message.

What am I doing wrong?

jim



.

Relevant Pages

  • Trying to create mandatory profiles....
    ... Create a user account with a descriptive name.... ... Log on using the template account and create the desktop settings you ... Log on using an administrator account. ...
    (microsoft.public.win2000.active_directory)
  • Re: Remote Web Workspace.....
    ... I just changed his template, ... Explain to the boss that using an Administrator level account is used ... Change his every-day account to User level by applying the User template ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Web Workspace.....
    ... I just changed his template, ... Explain to the boss that using an Administrator level account is used only ... Change his every-day account to User level by applying the User template to ...
    (microsoft.public.windows.server.sbs)
  • RE: How can a user save a document library as a template?
    ... WSS team site's are grouped in a site collection. ... a library/list as a template the .stp file is stored in a special library ... test user account is a administrator of the local web, ... administrator rights at the site collection level. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: User Security Profiles
    ... the All Users profile and into the Administrator profile. ... I recommend you create a second admin account, copy Administrator over ...
    (microsoft.public.windowsxp.security_admin)
Loading