Re: NETLOGON Share

---

• From: "Josh Messerschmitt" <josh@xxxxxxxxxxxxxx>
• Date: Thu, 12 Jan 2006 21:03:18 -0600

---

> The best place to put it is in the sysvol within the policy that is
> calling the login script itself. When a user logs on, they have no drives
> mapped yet so they have access to local resources or the sysvol.
>
> http://support.microsoft.com/kb/322241/EN-US/
>
> If you are having trouble with admins modifying scripts then they need to
> be demoted. How many admins do you need to modify a script? If a user is
> a domain admin, you can try and take something away but they can just go
> back and give it back to themselves.

So, you're saying that assigning a login script via ADUC may not be the best
choice - under the profile tab. Obviously, the profile tab will be
compatible with 9x clients, where GPO will not. However, I think you may be
onto something - if each admin only has fulledit rights to their own GPO's,
they shouldn't be able to modify each others policies, scripts, etc. The
admins at each site are not domain admins, they have a custom set of
permissions assigned via a group for each ou/site.

I just know that it's easy to use the profile tab in ADUC for this, but it
could be a mangement nightmare if all of the admins are putting ALL of their
scripts out on one single flat share. Worst case scenario, I could probably
create a file structure under NETLOGON for each site, where the admin for
each site only has permissions to modify what is in their respective folder.
I'll have to test that if I do this on one DC, that it will replicate to all
other DC's in the domain.

Feel free to chime in anywhere here if I'm way off base
--
Josh Messerschmitt


.

---

• References:
  • NETLOGON Share
    • From: Josh Messerschmitt
  • Re: NETLOGON Share
    • From: Paul Bergson

• Prev by Date: Active Directory Group Policies
• Next by Date: Re: Service Pack 1 On Domain Controllers
• Previous by thread: Re: NETLOGON Share
• Next by thread: new ad 2003 exisiting with ad 2000, in prep for upgrade
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: need to modify local group membership via VBscript ... The script I posted was orginally used to add another domain group ... It only worked if Domain Admins was ... can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ... (microsoft.public.windows.server.scripting) Re: need to modify local group membership via VBscript ... A logon script runs with the credentials of the user, ... ' Bind to local Administrators group on remote computer. ... Wscript.Echo "Domain Admins already in Administrators on " & strComputer ... (microsoft.public.windows.server.scripting) Re: need to modify local group membership via VBscript ... It only worked if Domain Admins ... script can add domain groups to the local Administrators group. ... version intended to run as a Startup script, configured in Group Policy: ... (microsoft.public.windows.server.scripting) Re: NETLOGON Share ... The best place to put it is in the sysvol within the policy that is calling ... When a user logs on, ... If you are having trouble with admins modifying scripts then they need to be ... How many admins do you need to modify a script? ... (microsoft.public.windows.server.active_directory) Re: Modifying a record field value while not blocking it to others ... And of course again the record you are trying to modify has not to be 'open' ... someone opens that ID=12 record everything in it is locked. ... often add a script line which opens a random record if the file holds enough ... system where customers use Credits when renting items and get Credits ... (comp.databases.filemaker)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-01