AD and Outlook - working together?

[Duane Lambe]

Hi, this may be directed to the wrong group, if so please let me know.

Simple setup here, about to get an AD migration happening (about 40
windows users). They've been using the same systems for about 2 years
without a domain, and have a lot of data - namely Outlook data.

Now, once they log onto the domain, they have a whole new profile, yet
still have the other local profile without it (please correct me if
I'm way off). The way I see it, since a lot of these users have
latops, they'll be using the local account just as often as the AD
account, which I believe means 2 separate PST stores - unsynched -
which doesn't work well, IMO.

Is there an elegant solution to all this? This is a fairly
heavy-into-unix place, but there's still a lot of Windows systems, and
I'd like (no, I need) to get them together for administration. Is it
possible, say, to log into the AD profile without authing against the
server, for instance, so they can still use the same copy of Outlook?

The migration's likely to be the worst part of this all, so if anyone
has any magic links they have stored, I'd appreciate that as well.

TIA,

 

[Duane Lambe]

Ah, so just for my own clarity, users can still log onto their domain
account if no DC is available (laptop users), because w2k will keep a
cached copy of the profile - fully functional - that they can still
use? Are there any noticable detriments to the user (i.e. would any
warnings/errors/"things that freak users out" come up)?

Even if so, this is awesome - I can handle the merging of profiles
easily enough, and in fact, it'll be a great opportunity to trash
their neglected profiles and start fresh.

One more question, though

Users should NOT even HAVE an account on their "own" machine.

....meaning they shouldn't have a Machine Local account on the machine,
I believe - but in effect, they still do, with the Domain account (for
all intents & purposes, as far as the user's concerned, etc). Sound
right?

And thanks much for the excellent addendum regarding the local Admin
group - I think a few of our developers will definitely be needing
that one.

 

[Herb Martin]

See inline comments....

Ah, so just for my own clarity, users can still log onto their domain
account if no DC is available (laptop users), because w2k will keep a
cached copy of the profile - fully functional - that they can still
use?

Generally yes -- e.g., there are exceptions for "mandatory profiles".

Are there any noticable detriments to the user (i.e. would any
warnings/errors/"things that freak users out" come up)?

There is normally (sometimes, frequently?) a warning that says
(something to the effect) "Authenticating using cached resources;
Access to domain resources may not be available."

It can be repressed and/or timeout set very low.

Even if so, this is awesome - I can handle the merging of profiles
easily enough, and in fact, it'll be a great opportunity to trash
their neglected profiles and start fresh.

Profiles are JUST FILES -- a directory tree. One of those files
is special "NtUser.Dat" and the most likely to cause trouble if
you "just move" it from system to system (but even that CAN
work) because it is registry settings.

Here's what I usually do for MYSELF -- xcopy all the files
taking input from a file called "no.txt" (which contains about
10,000 lines of "n"s to answer the "Do you want to overwrite
this file.) Sometimes I do it the other way around (easier) by
copy all the NEW profile over the old, then the old over the
new with /Y (overwrite.)

One more question, though


...meaning they shouldn't have a Machine Local account on the machine,

Right -- (exceptions exist but should be justified on a case by case basis
with a SIGNFICANT positive reason.)

I believe - but in effect, they still do, with the Domain account (for
all intents & purposes, as far as the user's concerned, etc). Sound
right?

Notice we are saying the same thing -- they have an account that can
ACCESS their machine but not one ON their machine.

And thanks much for the excellent addendum regarding the local Admin
group - I think a few of our developers will definitely be needing
that one.

Yes, and it eliminated almost all of the exceptions to "no local account".

Also not that users INCLUDING Admins shouldn't log onto their machine
with an Admin account MOST/ALL of the time but this is a nearly
impossible habit for most people to break.

Admins and developers really should have 2 accounts (keep them in the
domain) and make ONLY UserTheAdmin).

Then all admin work should be done with either a "Terminal Server" login
to the (same) machine OR with "Runas".

 

[Duane Lambe]

Outstanding advice - just what I was looking for. Thanks!