Re: DNS configuration

orsobubu <postxng@xxxxxxxxxxx> wrote:
Lanwench, thank you for your roaming profiles guidelines; I'm trying
to follow them, I also installed the uphc program I never heard
before. my network big problem is the continuously reconfigurating

reconfiguring, maybe? ;-)

programs after every reboot for every users: autocad, winzip, itunes,
etc.

That's a good reason to use folder redirection. Redirect My Documents,
Application Data, and Desktop, in a custom GPO, linked at the MyBusiness
level. I'd redirect everything to the same place ...\\server\users. That
way, you'll end up with

\\server\users\username\my documents
\\server\users\username\desktop
\\server\users\username\application data

Keep your profiles tinytinytiny!


could after first tests, the impression is that some programs still
continue to reconfigurate,

This isn't a word. :)

and others not. Now I've written here my
most important sbs customized configurations, if you'll have time to
take a look.

1. Profiles directory: I created it in C:\, since It seemed to me a
less problematic position for user profiles

Why there? Less problematic than what? I don't put any data on the system
volume, ever. These are gonna get pretty big at some point. Leave your
system volume for the OS and server applications.

2. I didn't use the $ to hide Profile directory (need to setup a new
series of profiles with \\Profiles$\...\%username% in profiles tab, or
is it possible to modify the existing one?), because I found sometimes
users need to access their folders

Users do not need to access their profile folders directly - they could
cause plenty of problems if they did. Make this hidden.

3. I redirected via GPO in "D:\Redirected" folder both Docs and
Desktop

No....that would be a local folder (and it won't exist, unless you created
it on each workstation). You need to use UNC paths....see above. And keep
things separate.

4. Permissions:

Profiles and Redirected folders differ from yours:

-"domain users", 3th and 7th authorization, "this folder only"
-"creator owner", full, "subdir and files"
-"system", full, "this folder, subdir, files"

Profiles\single domain user folders: the same as yours:

-"system", full, "this folder, subdir, files"
-"administrators", full, "this folder, subdir, files"
-single domain user, full, "this folder, subdir, files"

Redirected\single domain user folders:

-"system", full, "this folder, subdir, files"
-"creator owner", full, "subdir and files"
-"administrators", full, "this folder, subdir, files"
-single domain user, full, "this folder only"

Redirected\single domain user folders\Desktop-Documents: the same as
yours:

-"system", full, "this folder, subdir, files"
-"administrators", full, "this folder, subdir, files"
-single domain user, full, "this folder, subdir, files"

Fine - I set up my own permissions, which are much simpler, but if this
works for you, well and good.

5. GPOs:

I created two GPO, one for computers policies and one for users
policies, and I linked them to the domain.

What did you link them to? Put it in MyBusiness. And you don't really need
two GPOs, you know.

They appear in the first
two places in the link order list for the domain, and in the third and
fourth places in the link order list for the domain controller (after
2 default policies for the DC).

computers GPO:

-disable offline files
-prohibite offline files user configuration

You could also disable offline file caching on all your shares (I do that).

-disable shutdown event
Why that?

-always wait for at startup&login
-add administrators group to roaming profiles
-delete from cache roaming profiles copies

I don't do that last one. It makes it too slow for users to log in. You can
use DELPROF to periodically scour your network for old cached profiles &
delete them.

-don't detect slow connections
-password policies

Password policies apply only at the the domain level, and you already have a
GPO for that. I'd remove it from here. It won't do anything, and you want to
keep things simple.

users GPO:

-redirect Documents and Desktop
-IE security:

internet area: run activeX controls and plugins, download files, run
active script, run java applet script, enable metadata updates
intranet area: sites: added \\SERVERNAME

-disable automatic autocomplete for explorer modules
-prohibite password saving for automatic autocomplete
-enable screensaver
-protect screensaver with password
-timeout screensaver

thanks a lot.

In general, looks fine.


.

Relevant Pages

  • Re: DNS configuration
    ... thank you for your roaming profiles guidelines; ... Profiles and Redirected folders differ from yours: ... Profiles\single domain user folders: the same as yours: ... I created two GPO, one for computers policies and one for users ...
    (microsoft.public.windows.server.sbs)
  • RE: Mandatory TS user profiles... Admin rights
    ... Ok so i figured out my problem with my mandatory profiles. ... But I am having an issue getting my GPO to work on my TS. ... What is it that you are working to accomplish with your local admin account? ... -I created a shared folder on TS1 called TSProfiles ...
    (microsoft.public.windows.terminal_services)
  • RE: Mandatory TS user profiles... Admin rights
    ... The configurations that I enabled for my TSLockdown GPO "Computer ... Configuration" took effect immediately. ... From what I have read this can be accomplished with TS user profiles. ... -I created a shared folder on TS1 called TSProfiles ...
    (microsoft.public.windows.terminal_services)
  • Re: How do I get roaming profiles to work??
    ... roaming profile to work, but still have some ways to go. ... I checked the \profiles folder, and there isn't actually a folder ... What else do I need to do to get the roaming profiles to work? ... because the current GPO set is a bit of a mess. ...
    (microsoft.public.windows.server.sbs)
  • Re: TS Profiles
    ... There's a GPO setting for this as well: ... "Add the Administrators security group to roaming user profiles" ... MCSE, CCEA, Microsoft MVP - Terminal Server ... \\FS1\TSPROFILES$ folder? ...
    (microsoft.public.windows.terminal_services)