Week 12: Nov 26 * Delegation of OU authority acting as administrator from another machine?? * blocking inheritance done to OUs not GPOs!! done in Group Policy for OUs (and domains) * Administrative templates * roaming profiles ================================================ Shell variables to know about %USERNAME% pld %USERPROFILE% c:\Documents and Settings\pld %SYSTEMROOT% C:\windows %LOGONSERVER% \\valhal2 (or \\winserver01) ================================================ ROAMING PROFILES ================ WHY ISN'T FOLDER REDIRECTION WORKING???? And it's not: if I log in as "peter2", My Documents is on the local drive and NOT on the network. Oops. ok: it only works for NEW accounts, not accounts with preexisting My Documents at the time the redirection policy was put in place. Roaming info: http://technet2.microsoft.com/WindowsServer/en/library/b41402c2-c982-4bfb-891e-91b47f211e181033.mspx?mfr=true General strategy: roam only NTUSER.DAT; the folders should be REDIRECTED!! if you roam to \\server\share\pld, then that's where NTUSER.DAT goes, and you should then redirect My_Documents to \\server\share\pld\My_Documents profile path: \\winserver01\homes\%USERNAME% Note from MS: To change a user’s local profile to a roaming profile for a user who uses multiple computers simultaneously, the user must log off last from the computer that has the profile that the user wants to use. Why would this be? because on logoff, the local profile is copied to the server! Disabling roaming profiles on certain computers (eg teacher machine) Demos of roaming: note that it's set in the account preferences, *not* by Group Policy. Where do all these settings in c:\homes\%USERNAME% appear? What controls them??? creation of an account by a SCRIPT: faster, but some details are mysterious add_roamer.vbs cscript add_roamer.vbs labusers zane '\\winserver01\homes' 'usage: add_roamer OU user RoamerRoot set Args = Wscript.Arguments ouName = Args(0) usrName = Args(1) RUProot = Args(2) RUPpath = RUProot & "\" & usrName 'Get the domain Set dse = GetObject("LDAP://RootDSE" ) Set domain = GetObject( "LDAP://" & dse.Get("defaultNamingContext" )) 'Wscript.echo "dse: " & dse Wscript.echo "domain: " & domain.Name set ou = domain.GetObject("organizationalUnit" , "OU=" & ouName ) wscript.echo "Creating user in " & ou.Name set usr = ou.Create("user" , "cn=" & usrName ) usr.Put "samAccountName" , usrName usr.Put "userPrincipalName" , usrName usr.Put "Profilepath" , RUPpath usr.SetInfo usr.AccountDisabled = false usr.SetPassword usrName usr.SetInfo wscript.echo " User " & usrName & " was created successfully in " & ou.Name & " with a RUP Path of: " & RUPpath ================================================= ================================================================== Delegation of OU authority: done to GROUPS (or users) Can select what operations you wish to permit =============================================== GPOs, OUs, and blocking inheritance do it in Properties of domain/OU Enforced setting: same as "no override" ================================================= Administrative Templates ================================================= Look through gpo settings for "show/hide extensions" /HKCU/Software/Microsoft/Windows/CurrentVersion/Explorer/Advanced/HideFileExt Administrative Templates: *.adm -- bunch of settings -- can be imported into a GPO Here it is: CLASS USER CATEGORY "Hide File Extensions" POLICY "Hide file extensions" KEYNAME "Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" VALUENAME "HideFileExt" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY To add: * edit some gpo * right-click on User Conf => Admin Templates, select Add/Remove Templates then click Add button * now, Hide File Extensions should be there. -- my simple example: -- need to change filtering -- look at how to enable or disable Note that, using this approach, we can use GPO to set ANY registry entries. ==========================================