RE: Mandatory TS user profiles... Admin rights
- From: Noncentz303 <Noncentz303@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 24 Oct 2007 11:44:01 -0700
Cendrars,
Thanks for the response... It was way helpful for what I have to do. This is
how it went down..
I created my seperate GPO and user for my test enviorment just fine. I was
able to create the share and copy over a good user profile. When I log on
with the user I am able to see the changes that have been made as well as
everything in the C:\Documents and Settings\All Users folder....
I guess now im looking to clean and sure up alot of loose ends. I would like
to be able to log in as an administrator and see my usual menu's start bars
and whatnot so I wont add myself to the GPO but I have to edit C:\Documents
and Settings\All Users for my changes to work correctly which also messes
with the admin account.
Is there a workaround for this purpose???
"cendrars" wrote:
Hello,.
It has been a while, but give this a shot and let us know how you make out.
You can do this only in Windows 2003 Ad environment. The goal here is to
migrate your users to a mandatory profile without changing any of the AD user
properties you have in place now.
Configure a dummy profile path via the GPO.
Computer Config > Admin Templates > Windows Components > Terminal Services
Set the path for the TS roaming profile
Create a mandatory profile for the terminal server. Create a local account
(place the account into the local admin group). It is also preferrable that
you do this on a server with no domain affilliation or policies applied.
VMWare is good enough provided you are matching the OS and SP used in your
production environment. Log the account on and configure the environment the
way you like it. Log off.
Use the Computer Properties window to copy your user profile to a file share
you can get to. You want to be certain that you assign the Authenticated
Users group permission to access the profile. You will see input for this
security config within the Copy window of the My Computer > Properties >
Advanced > User Profiles > Copy Option window.
Refer to the following KB for creating the Mandatory Profile: MS KB323368
Refer to the following KB for configuring Folder Redirection within the
mandatory profile registry config. This is handy information. MS KB242557
This last KB references folder redirection within the ntuser.man registry
hive. Once you have created the mandatory profile, you must load the
ntuser.man file into regedit.exe HKEY_Users environment for cleaning. Be
sure to name the account something unique for searching qqqqqqq is good
enough. Once you have loaded the hive, search for any identity markers
associated with the account. Do not delete the key values, simply remove any
data associated with the account name.
While you are creating the account don't get into detailed configs, avoid
opening apps, this will better assure your mandatory profile is good to go.
Now...back to work.
Backup and empty the Default User profile. Be sure you can see hidden and
system files.
Copy the mandatory profile into the Default User folder environment. Be
sure you have hidden and system files available for viewing.
Rename the ntuser.man into ntuser.dat
Enable the following GPO setting
Computer Config > Admin Templates > System > User Profiles > Prevent Roaming
Profile Changes to propagate to the server
There you go, you have a mandatory profile environment, which utilizes the
ntuser.dat for certificates and that good roaming stuff, but you have no
folder propagation to the roaming environment.
This will not solve your Outlook config settings however. You will need to
lauch the app with a PRF file associated for user settings to be applied.
This will avoid setup for each launch. To get further into the mix on this
one, you should look into a Flex profiling environment. Do a search for Flex
Framework on google, and head in that direction.
Let us know how you make out!
"Noncentz303" wrote:
The lowdown- I have been tasked with setting up our TS enviorment so that
when a user logs on they have limited access to the desktop and startbar.
From what I have read this can be accomplished with TS user profiles.
We have a SBS and 2 TS "TS1 and TS2"
I am new at this but this is what i have accomplished so far:
I created a new GPO and a new OU for TS1 and 2
-I created a shared folder on TS1 called TSProfiles
-I created a test user and added it to the new GPO
-I enabled loopback processing
-I enabled admin security group to roaming profiles
-Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username
Then I went to my test user and specified the following profile path:
\\TS1\TSProfile\%username%
- This is where I run into my issues. When I log in a seperate folder is
created in my share for each user. I would like to use 1 standard profile for
all users when they log in so that when I make changes the effect all users.
- Also when I log in as admin I cannot view the contents of the folders
because access is denied -- even though I have it set to add user admin when
folder is created
- I also am wondering will I have to set up a static path for every user
depending on what TS they use and specify different paths and redirects for
both servers?
Any help would be appreciated
Antony
- References:
- RE: Mandatory TS user profiles... Admin rights
- From: cendrars
- RE: Mandatory TS user profiles... Admin rights
- Prev by Date: Re: Identify Console Session (via mstsc /console or via physical console)
- Next by Date: Re: Unable to set a default printer
- Previous by thread: RE: Mandatory TS user profiles... Admin rights
- Next by thread: RE: Mandatory TS user profiles... Admin rights
- Index(es):
Relevant Pages
|
