Derek Da Silva said:
Thank you for your post. I have two questions:
1) We have many branches at our office. This particular branch is
being setup in a different way than all of the other branches.
How so?
If I
create the default user in the NETLOGON folder- will this affect the
way accounts are created for other branches or just this branch in
particular.
It will affect all users in the domain. But what are you putting in there
that's so unique to this particular branch? Note that most of the stuff you
want to customize for your users/computers ought to be done via group
policy....and you link those at the OU level to ensure that your settings
are appropriate for each location.
The only stuff I do in the Default User profile like that, is stuff I can't
easily control via GPO - such as Windows Explorer views (I like Details and
displaying file extensions), power settings (because non-admins cannot
themselves change this), and so forth. The rest is all via GPO.
2) In terms of security, should all users have access to everyone's
profile? I am hesitant of this because I feel that all users should
have their own privacy. Do you agree with my opinion?
I agree. My boilerplate on roaming profiles is below - if you follow these
steps, only the user & the Administrators group will have access to the
profile folder on the server.
Note that roaming profiles are not always the right tool for the job -
folder redirection via group policy will accomplish 99% of what roaming
profiles do, and you won't have problems with logins (across a WAN link
especially).
General tips:
1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is not set
to allow offline files/caching!
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles$\%username% in
the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.
5. If you want the administrators group to automatically have permissions to
the profiles folders, you'll need to make the appropriate change in group
policy. Look in computer configuration/administrative templates/system/user
profiles - there's an option to add administrators group to the roaming
profiles permissions.
Notes:
* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.
* Keep your profiles TINY. Redirect My Documents at the very least; usually
best done to the user's home directory on the server - either via
group policy (folder redirection) or manually (far less advisable). If you
aren't going to also redirect the desktop using policies, tell users that
they are not to store any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile corruption.
* Note that user profiles are not compatible between different OS versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.
* Do not let people store any data locally - all data belongs on the server.
* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/...6D-8912-4E18-B570-42470E2F3582&displaylang=en
