Re-direct Mydocs using Group Policy

Discussion in 'Networks' started by SimonV, Aug 5, 2003.

  1. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    Aim to please

    :D :D :D
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  2. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,416
    3
    82
    Andrew

    I have only touched on local policys as i am only studying the 70-210 exam at present, how would I amend the group policys that are inforce at present as some people at work need to be able to install software for testing purposes and it would be handy to know for when the Network admin leaves (I find it hard to unstand why he is still there after he has resigned, but thats another story)

    P.S. laymans terms please
     
    Certifications: A+, 70-210, 70-290, 70-291, 74-409, 70-410, 70-411, 70-337, 70-347
    WIP: 70-346
  3. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    Derek

    Are you talking about the local policies on a stand a lone machine or the Domain Group Policy.

    Start from the beginning so if I repeat myself then put up with it.

    Our school domain is setup so that users do not have access to the local drive, only the mapped drives at login (home folder and for the teachers a drive mapped to their deptartment). This then means that when they log into the domain they cannot install any software onto the machine as they can't see c:\. We also stop the kids from running other apps by enforcing the "Allowed Applications" group policy (as mentioned before). Now from my point of view this means that if an application needs to be installed we have to goto the machine and login locally to it as the local administrator. We have tried to install apps by group policy but as users do not have access to c:\ then when they login they can't write to c:\ and the install fails.

    So I think what I am saying is that if you want to let users install software (think licence, ripped off software, games, etc.) then they must be a member of the local administrators group or powerusers group (if pc is not in a domain).

    You can find thr Group policies in Active Directories Users & Computers, select the OU that you want to use a GP on, right click, proerties and select Group policy. Whole books have been written on this subject so you will have to experiment with it.

    Hope that helps and answers some questions

    Cheers

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  4. SimonV
    Honorary Member

    SimonV Petabyte Poster

    6,652
    179
    258
    Cheers Andrew,

    I've about got the same kind of setup the only difference is I've implemented a mandatory profile instead of roaming or local profiles. This means that any changes they make to the profile will be wiped when they log off and the amount of space needed is only the size of one profile.

    I'd be interested in what you have in your logon script and how you redirect the my docs. Do you redirect the my docs using the GP or in the profile? With us using the mandatory profile the my docs is resdirected to J: as this is a mapped drive to the users home folder with a login script.

    SimonV
     
    Last edited: Jan 2, 2015
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  5. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    My Docs is redirected to the users home folder (H:\) with the use of Group Policy. This volume has quotas set on it but the kids were saving stuff to the desktop and as part of the profile it was stored on a differant volume which didn't have quotas enforced. By doing that it means that it can take an age to log on as your desktop is moved from the server. We are now testing redirecting desktops onto a volume with quotas. Works very well and speeds up login times.

    I had a good hard look at the login process and found that the network manager uses a small batch file to remove any temp files and to show the Acceptable Use Policy screen, which the users have to agree to. I think the clever bit is when a new user is added, we run a adsi script which adds the user to approiate groups, sets their password and adds drive mappings to the users profile.

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  6. SimonV
    Honorary Member

    SimonV Petabyte Poster

    6,652
    179
    258
    I could do with your help on this Andrew. I tried this but couldnt get it to work so chose to use the profile to redirect it.


    Thats why we went for the mandatory profile. Anything saved to the desktop is not saved as the profile is read only. The kids didnt like that to start with but they soon learnt.


    SimonV
     
    Last edited: Jan 2, 2015
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  7. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    Ok here goes, the way we have directed the My Docs folder is:

    First share a folder (called Users Docs for example) on a server with the default permissions. Then open Active Directory Users and Computers and select the OU that you want the GP to apply to. You do not use the Default Domain GP as this applies to all users inc the Administrator, so you will need to make a new GP. This OU must have in it the users who's My Document folder is to be re-directed. The policy you need is in the Users Configuration - Windows setting - folder redirection - my documents. If you right click on the folder and select properties you will get the options for redirecting. This can be done as all users My Docs folders redirected to a share or you can pick out specific groups and redirect them to other folders within the share. As a school, our groups are year groups and staff. If you go down the everyone route then in the drop down box select basic and then browse to the target share. I think a much nicer way, but a bit more work, is to redirect with groups. For that, select advanced and then click add. You are then asked for a group which you can browse for and also a target folder. The syntax which worked for me was \\server_name\Share_name\Group_name\%username%
    This puts each group in a folder named the same as the group and the user has a folder named after themselves (does that make sence :? ). I actually made the main share hidden with the old $ sign so that other users can't see it.

    This will take effect as son as the group policy has propergated and the user next logs on.

    I hope that is about it. Time to do some work and earn a crust.

    TTFN

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  8. Nelix
    Honorary Member

    Nelix Gigabyte Poster

    1,416
    3
    82
    any chance of you pasting that ADSI Script?
     
    Certifications: A+, 70-210, 70-290, 70-291, 74-409, 70-410, 70-411, 70-337, 70-347
    WIP: 70-346
  9. SimonV
    Honorary Member

    SimonV Petabyte Poster

    6,652
    179
    258
    Cheers Andrew, The problem I was having was that when I came to the school the network was Win98 :( so SLOWLY i've been upgrading to 2k and XP. As this is the case the users already had a shred folder that they used had to navidate to everytime they saved.

    What I did was to implement a small batch script that mapped the drive for them to J: but now we have half Win98 and half NT based I was wanting to redirect the my docs to j: but using the method above it doesnt work. I've had it working your way but this means it will create a new mydocs folder and .....ohh it just get too messy.

    What I wanted was to redirect mydocs to the mapped j: but I'm not having much luck. The best way I've found it with the use of the mandatory profile as this is a simgle profile that I created that has the mydocs redirected by changing the mydocs properties within the profile.

    I guess what I'm asking is can I do it another way, maybe with a script or batch file. Anyone any ideas.
    :cry:
    SimonV
     
    Last edited: Jan 2, 2015
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  10. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    Here you are one ADSI script
    What we do is put the pupils info into a text file called newpupils.txt and run this script. It sets up their logon details, password, year groups they belong to, home folder and mapping and the user profile.

    Hope it is of some use


    Option Explicit

    Const ForReading = 1
    Const ADS_UF_DONT_EXPIRE_PASSWD = &H010000

    Dim adsDomain, adsUser, fso, tsInputFile, strLine, arrInput
    Dim fldUserHomeDir, wshShell,adsGroup,usrFlag

    wscript.echo "Started"

    Set fso = CreateObject("Scripting.FileSystemObject")

    '*****************************************************************
    ' Open text file containing user info for reading
    ' Text file format is one line per pupil, fields sep by colon
    ' Field 0 - logon
    ' Field 1 - Group (i.e. year of leaving)
    ' Field 2 - Full name (Surname, forename)
    ' Field 3 - password
    '*****************************************************************

    Set tsInputFile = fso.OpenTextFile("c:\ADSI\NewPupils.txt", ForReading, False)
    Set wshShell = WScript.CreateObject("WScript.Shell")

    '*****************************************************************

    'Loop until end of file

    While Not tsInputFile.AtEndOfStream

    'Read a line of data and split into parts
    'NB - Colon character separates each part

    strLine = tsInputFile.ReadLine
    arrInput = Split(StrLine, ":")


    Set adsDomain = GetObject("LDAP://ou=" & arrInput(1) & "OU,ou=,ou=,dc=,dc=")
    Set adsUser = adsDomain.Create("user","cn=" & arrInput(0))
    adsUser.Put "SAMAccountName", arrInput(0)
    adsUser.Put "userPrincipalName", arrInput(0) & "@Your_Domain"


    '***************************************************************
    'Write newly created object out from property cache
    'Read all properties for object
    '***************************************************************

    adsUser.SetInfo
    adsUser.GetInfo

    '***************************************************************
    'Set the properties for current user
    '***************************************************************

    adsUser.AccountDisabled = False

    if arrinput(1) = "Others" then adsUser.AccountExpirationDate = "1/9/2004" else adsUser.AccountExpirationDate = "1/9/" & arrInput(1)

    adsUser.Description = arrInput(2)
    adsUser.IsAccountLocked = False
    adsUser.LoginScript = "login.bat"
    adsUser.Profile = "\\server_name\" & arrInput(1) & "Profiles\" & arrInput(0)
    adsUser.PasswordRequired = True
    adsUser.DisplayName = arrInput(2)

    usrFlag = adsUser.Get ("UserAccountControl")
    usrFlag = usrFlag Or ADS_UF_DONT_EXPIRE_PASSWD
    adsUser.Put "UserAccountControl", usrFlag

    adsUser.HomeDirectory = "\\server_name\" & arrInput(1) & "\" & arrInput(0)
    adsUser.Put "homedrive","H:"
    adsUser.SetInfo


    '***************************************************************
    'Create home directory and set full rights for user
    '***************************************************************

    If Not fso.FolderExists("\\server_name\" & arrInput(1) & "\" & arrInput(0)) Then
    Set fldUserHomedir = fso.CreateFolder("\\server_name\" & arrInput(1) & "\" & arrInput(0))
    End If

    wshShell.Run "cacls \\server_name\" & arrInput(1) & "\" & arrInput(0) & " /e /g " & arrInput(0) & ":F", 1, True

    '***************************************************************
    'Set password
    '***************************************************************

    adsUser.SetPassword arrInput(3)

    '***************************************************************
    'Assign group membership
    '****************************************************************

    Set adsGroup = GetObject("LDAP://cn=" & arrInput(1) & ",ou=,ou=,dc=,dc=")

    adsGroup.add(adsUser.adsPath)


    Wend

    '*****************************************************************
    'Finish off

    tsInputFile.Close

    Set tsInputFile = Nothing
    Set adsUser = Nothing
    Set wshShell = Nothing
    Set adsDomain = Nothing

    wscript.echo "Done"


    I have taken the server names out so you wouls have to put them in, and also the domain details.

    HTH

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  11. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    Ok just came across this little gem regarding redirecting folders and a mandatory profile.

    As you know if you have a mandatory profile you cannot set your desktop differently as it changes back when you log back on. Whilst this is a good idea, and keep logon times to a minimum, users do like to keep favorites. This is how you can redirect and keep a mandatory profile.

    Using the account that you use to set up your mandatory profile, edit the registry.

    Search for favorites (note the US spelling) and edit the string from something like: %USERPROFILE%\Favorites

    to <drive or unc path>\favorites

    This works like a treat and can also be used for cookies etc. There are two similar sections that will need this treatment.

    Haven't tryed it yet but will to see how much differance it will make.

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong
  12. SimonV
    Honorary Member

    SimonV Petabyte Poster

    6,652
    179
    258
    This could be a usefull little hack Andrew, but let me get this straight. Do you hack the mandatory profile or the local machine for this to work? Did you find it on the net? Do you have a URL?

    Thanks for the heads up.

    SimonV
     
    Last edited: Jan 2, 2015
    Certifications: MOS Master 2003, CompTIA A+, MCSA:M, MCSE
    WIP: Keeping CF Alive...
  13. AJ

    AJ 01000001 01100100 01101101 01101001 01101110 Administrator

    6,904
    171
    221
    Sorry Si no URL. Got this from another group I'm a member of that deals with public schools and IT.

    Have had a look and as far as I understand, you make a user account. Logon locally using this account and add your shortcuts, drive mappings, and wallpaper etc. then edit the registry changing the path to a network share:

    HKEY_Current_User\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    and
    HKEY_Local_Machine\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
    and
    HKEY_Users\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

    Copy the profile to a shared folder with Read only rights then it is just a matter of assigning the profile to users. Instructions: http://support.microsoft.com/?kbid=323368

    I am trying to write a .ADM file so that we can redirect Favorites (but more importantly Cookies) this through GP and still maintain roaming profiles. Unless someone has already done this of course, and save me all the work.

    I'll let you know how I get on.

    Andrew
     
    Certifications: MCSE, MCSA (messaging), ITIL Foundation v3
    WIP: Breathing in and out, but not out and in, that's just wrong

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.