Week 10: Nov 12 Discuss CSED 431 meeting time Discuss filtering software ========================================= Getting Folder Redirection to work!! More on roaming profiles Works fine now. What did I forget last time? Note little icon in My Documents Folder redirection: set using GP Can redirect: My Documents, App data, desktop, start menu My Documents/My Pictures Versus Roaming profiles: Roaming profiles are DOWNLOADED at start and UPLOADED at end. Compare: mapping (with logon scripts) the H: drive to \\winserver\homes\%USERNAME% Some issues with what happens when policy is disabled: generally, you want user to have continued access. Usually, best approach is to figure out how to copy data to where it's moving to. Permissions "Sometimes, even though it is not recommended, administrators create the redirected folders before Folder Redirection creates them." Microsoft punishes such wicked Administrators by making sure nothing works. Creator/owner: needs full control This means that once something is created, the owner has full control of it. Need permission to create folders in /home LocalSystem must have Full Control. versus ROAMING PROFILES: done in user properties box in AD ======================================================== ========================================================== Adding a GPO by installing it from backup: demo on winserver02?? ========================================== gpresult: figures out effective gpo settings on client machine pairs with gpupdate ===================== Logging on to our previous CommonScenarios accounts ============= How to let taylor log on to the domain controller itself (to let us try out domain user settings without adding a client machine). 1. create a group, DC LOGON, in folder "users" in AD Users and Computers 2. Edit local domain policy in Group Policy Management, Default Domain Policy => Computer Configuration => Windows Settings => Security Settings => Local Policies => User Rights Assignment => Allow log on locally Add "Administrators" and "DC LOGON" 3. Make sure your prospective user is in group DC LOGON Now you can log on to your server to do stuff winserver01 account: taylor the teacher ======================== ========================================================== Profile folders: Redirectable: Application Data Desktop My Documents Start Menu NTUSER.DAT Plus, lots of SETTINGS are stored in the registry, the "hive" for which is NTUSER.DAT. Also: Cookies Favorites Local Settings Temp Internet Cache Classic profiles: Local Roaming: on server, PLUS cached copy on any local machine you use. Mandatory: can be changed, but resets on logoff Group Policy makes Mandatory profiles obsolete. Redirected folders: NOT autmatically cached on local machine. ============================================================= User profiles: Problem: how do we set some default entries for a user? MS Shared Computer Toolkit says to log into each account to make settings There HAS to be a better way! See http://isg.ee.ethz.ch/tools/realmen/det/skel.en.html for good ties to registry settings The profile is the ENTIRE directory All folders can be redirected, not just four. These don't get roamed: Local Settings Temp =============================================================