Re-direct Mydocs using Group Policy

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Aim to please

 

Derek

Are you talking about the local policies on a stand a lone machine or the Domain Group Policy.

Start from the beginning so if I repeat myself then put up with it.

Our school domain is setup so that users do not have access to the local drive, only the mapped drives at login (home folder and for the teachers a drive mapped to their deptartment). This then means that when they log into the domain they cannot install any software onto the machine as they can't see c:\. We also stop the kids from running other apps by enforcing the "Allowed Applications" group policy (as mentioned before). Now from my point of view this means that if an application needs to be installed we have to goto the machine and login locally to it as the local administrator. We have tried to install apps by group policy but as users do not have access to c:\ then when they login they can't write to c:\ and the install fails.

So I think what I am saying is that if you want to let users install software (think licence, ripped off software, games, etc.) then they must be a member of the local administrators group or powerusers group (if pc is not in a domain).

You can find thr Group policies in Active Directories Users & Computers, select the OU that you want to use a GP on, right click, proerties and select Group policy. Whole books have been written on this subject so you will have to experiment with it.

Hope that helps and answers some questions

Cheers

Andrew

 

My Docs is redirected to the users home folder (H:\) with the use of Group Policy. This volume has quotas set on it but the kids were saving stuff to the desktop and as part of the profile it was stored on a differant volume which didn't have quotas enforced. By doing that it means that it can take an age to log on as your desktop is moved from the server. We are now testing redirecting desktops onto a volume with quotas. Works very well and speeds up login times.

I had a good hard look at the login process and found that the network manager uses a small batch file to remove any temp files and to show the Acceptable Use Policy screen, which the users have to agree to. I think the clever bit is when a new user is added, we run a adsi script which adds the user to approiate groups, sets their password and adds drive mappings to the users profile.

Andrew

 

Ok here goes, the way we have directed the My Docs folder is:

First share a folder (called Users Docs for example) on a server with the default permissions. Then open Active Directory Users and Computers and select the OU that you want the GP to apply to. You do not use the Default Domain GP as this applies to all users inc the Administrator, so you will need to make a new GP. This OU must have in it the users who's My Document folder is to be re-directed. The policy you need is in the Users Configuration - Windows setting - folder redirection - my documents. If you right click on the folder and select properties you will get the options for redirecting. This can be done as all users My Docs folders redirected to a share or you can pick out specific groups and redirect them to other folders within the share. As a school, our groups are year groups and staff. If you go down the everyone route then in the drop down box select basic and then browse to the target share. I think a much nicer way, but a bit more work, is to redirect with groups. For that, select advanced and then click add. You are then asked for a group which you can browse for and also a target folder. The syntax which worked for me was \\server_name\Share_name\Group_name\%username%
This puts each group in a folder named the same as the group and the user has a folder named after themselves (does that make sence :? ). I actually made the main share hidden with the old $ sign so that other users can't see it.

This will take effect as son as the group policy has propergated and the user next logs on.

I hope that is about it. Time to do some work and earn a crust.

TTFN

Andrew

 

Here you are one ADSI script
What we do is put the pupils info into a text file called newpupils.txt and run this script. It sets up their logon details, password, year groups they belong to, home folder and mapping and the user profile.

Hope it is of some use


Option Explicit

Const ForReading = 1
Const ADS_UF_DONT_EXPIRE_PASSWD = &H010000

Dim adsDomain, adsUser, fso, tsInputFile, strLine, arrInput
Dim fldUserHomeDir, wshShell,adsGroup,usrFlag

wscript.echo "Started"

Set fso = CreateObject("Scripting.FileSystemObject")

'*****************************************************************
' Open text file containing user info for reading
' Text file format is one line per pupil, fields sep by colon
' Field 0 - logon
' Field 1 - Group (i.e. year of leaving)
' Field 2 - Full name (Surname, forename)
' Field 3 - password
'*****************************************************************

Set tsInputFile = fso.OpenTextFile("c:\ADSI\NewPupils.txt", ForReading, False)
Set wshShell = WScript.CreateObject("WScript.Shell")

'*****************************************************************

'Loop until end of file

While Not tsInputFile.AtEndOfStream

'Read a line of data and split into parts
'NB - Colon character separates each part

strLine = tsInputFile.ReadLine
arrInput = Split(StrLine, ":")


Set adsDomain = GetObject("LDAP://ou=" & arrInput(1) & "OU,ou=,ou=,dc=,dc=")
Set adsUser = adsDomain.Create("user","cn=" & arrInput(0))
adsUser.Put "SAMAccountName", arrInput(0)
adsUser.Put "userPrincipalName", arrInput(0) & "@Your_Domain"


'***************************************************************
'Write newly created object out from property cache
'Read all properties for object
'***************************************************************

adsUser.SetInfo
adsUser.GetInfo

'***************************************************************
'Set the properties for current user
'***************************************************************

adsUser.AccountDisabled = False

if arrinput(1) = "Others" then adsUser.AccountExpirationDate = "1/9/2004" else adsUser.AccountExpirationDate = "1/9/" & arrInput(1)

adsUser.Description = arrInput(2)
adsUser.IsAccountLocked = False
adsUser.LoginScript = "login.bat"
adsUser.Profile = "\\server_name\" & arrInput(1) & "Profiles\" & arrInput(0)
adsUser.PasswordRequired = True
adsUser.DisplayName = arrInput(2)

usrFlag = adsUser.Get ("UserAccountControl")
usrFlag = usrFlag Or ADS_UF_DONT_EXPIRE_PASSWD
adsUser.Put "UserAccountControl", usrFlag

adsUser.HomeDirectory = "\\server_name\" & arrInput(1) & "\" & arrInput(0)
adsUser.Put "homedrive","H:"
adsUser.SetInfo


'***************************************************************
'Create home directory and set full rights for user
'***************************************************************

If Not fso.FolderExists("\\server_name\" & arrInput(1) & "\" & arrInput(0)) Then
Set fldUserHomedir = fso.CreateFolder("\\server_name\" & arrInput(1) & "\" & arrInput(0))
End If

wshShell.Run "cacls \\server_name\" & arrInput(1) & "\" & arrInput(0) & " /e /g " & arrInput(0) & ":F", 1, True

'***************************************************************
'Set password
'***************************************************************

adsUser.SetPassword arrInput(3)

'***************************************************************
'Assign group membership
'****************************************************************

Set adsGroup = GetObject("LDAP://cn=" & arrInput(1) & ",ou=,ou=,dc=,dc=")

adsGroup.add(adsUser.adsPath)


Wend

'*****************************************************************
'Finish off

tsInputFile.Close

Set tsInputFile = Nothing
Set adsUser = Nothing
Set wshShell = Nothing
Set adsDomain = Nothing

wscript.echo "Done"


I have taken the server names out so you wouls have to put them in, and also the domain details.

HTH

Andrew

 

Ok just came across this little gem regarding redirecting folders and a mandatory profile.

As you know if you have a mandatory profile you cannot set your desktop differently as it changes back when you log back on. Whilst this is a good idea, and keep logon times to a minimum, users do like to keep favorites. This is how you can redirect and keep a mandatory profile.

Using the account that you use to set up your mandatory profile, edit the registry.

Search for favorites (note the US spelling) and edit the string from something like: %USERPROFILE%\Favorites

to <drive or unc path>\favorites

This works like a treat and can also be used for cookies etc. There are two similar sections that will need this treatment.

Haven't tryed it yet but will to see how much differance it will make.

Andrew

 

Sorry Si no URL. Got this from another group I'm a member of that deals with public schools and IT.

Have had a look and as far as I understand, you make a user account. Logon locally using this account and add your shortcuts, drive mappings, and wallpaper etc. then edit the registry changing the path to a network share:

HKEY_Current_User\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
and
HKEY_Local_Machine\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
and
HKEY_Users\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Copy the profile to a shared folder with Read only rights then it is just a matter of assigning the profile to users. Instructions: http://support.microsoft.com/?kbid=323368

I am trying to write a .ADM file so that we can redirect Favorites (but more importantly Cookies) this through GP and still maintain roaming profiles. Unless someone has already done this of course, and save me all the work.

I'll let you know how I get on.

Andrew