If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Default Administrator account as roaming profile?
Is it possible for the default Administrator account to be set as a roaming
profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. |
Ads |
#2
|
|||
|
|||
Default Administrator account as roaming profile?
daztrue wrote:
Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#3
|
|||
|
|||
Default Administrator account as roaming profile?
My instant reaction was "What's AD?", but from a combination of another forum
discussion and the help file I'm guessing yo're referring to Active Directory? I certainly don't have roaming profiles at the moment as I have no server, but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#4
|
|||
|
|||
Default Administrator account as roaming profile?
On Sep 2, 5:38*pm, daztrue wrote:
My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? I certainly don't have roaming profiles at the moment as I have no server, but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. Not certain on this but to be able to use roaming profile, you may need: 1) Windows XP Pro installed on the PCs used as "workstations." 2) A true Windows Server version. (Windows 2000 server or Windows Server 2003/2008.) If you are going to use a Windows Home Server product, you might not be able to do this. |
#5
|
|||
|
|||
Default Administrator account as roaming profile?
Actually, even Windows NT4 Server works for roaming profiles... but it should not be used as Internet gateway.
"smlunatick" ???????/???????? ? ???????? ?????????: ... On Sep 2, 5:38 pm, daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? I certainly don't have roaming profiles at the moment as I have no server, but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. Not certain on this but to be able to use roaming profile, you may need: 1) Windows XP Pro installed on the PCs used as "workstations." 2) A true Windows Server version. (Windows 2000 server or Windows Server 2003/2008.) If you are going to use a Windows Home Server product, you might not be able to do this. |
#6
|
|||
|
|||
Default Administrator account as roaming profile?
daztrue wrote:
My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#7
|
|||
|
|||
Default Administrator account as roaming profile?
I'm not sure what you mean by "set up a lab (either physical or virtual) and
download an eval of Windows server". Can you explain? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#8
|
|||
|
|||
Default Administrator account as roaming profile?
daztrue wrote:
I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#9
|
|||
|
|||
Default Administrator account as roaming profile?
As you suggested, I've been looking on other forums and sites regarding
Windows Home Server, and although it's a hot topic, the general/official concensus appears to be as you described: neither a domain controller, nor able to join one. I also learnt that it is a "subset" (which I assume means a smaller version) of MS Small Business Server, which, again, you also suggested! Naturally, I looked into that, and learnt that 2008 will be released in November. I don't know if you can shed any light on that version, or whether it will still backup client data in the same way as Windows Home Server? Also, I take it SBS 2008 will still work fine with HP MediaSmart Server? And is it installed on the server or on each client - like WHS? Back to the issue of folder redirection: is it possible to redirect various directories from multiple PCs to one directory? And if so, what is the process when a directory or file have the same name? I'm thinking primarily about redirecting the Shared Documents paths of each PC to one 'merged' tree on the server. Finally, assuming everything discussed is set up, and I decided roaming profiles were for me, would it be possible to 'merge' default Administrator accounts from PCs on the workgroup/LAN? If so, how? If not, what is usually done with default accounts when a roaming Administrator account is set up? Thanks, by the way, for all this help! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#10
|
|||
|
|||
Default Administrator account as roaming profile?
daztrue wrote:
As you suggested, I've been looking on other forums and sites regarding Windows Home Server, and although it's a hot topic, the general/official concensus appears to be as you described: neither a domain controller, nor able to join one. I also learnt that it is a "subset" (which I assume means a smaller version) of MS Small Business Server, which, again, you also suggested! Naturally, I looked into that, and learnt that 2008 will be released in November. Yes, I believe so. I don't know if you can shed any light on that version, or whether it will still backup client data in the same way as Windows Home Server? No idea, but I find it doubtful. With AD it's far more common to store all data on the server, and nothing at all on workstations. Workstations should be viewed as somewhat interchangeable and generic, in my view. Also, I take it SBS 2008 will still work fine with HP MediaSmart Server? ] No idea...the hardware requirements will be pretty extreme. And is it installed on the server or on each client - like WHS? You install SBS2008 on your server hardware. The client OSes can be Win2k, WinXP Pro, or Vista Business. Back to the issue of folder redirection: is it possible to redirect vaious directories from multiple PCs to one directory? You don't redirect from a PC - you redirect from a profile folder, such as My Documents, Application Data, Desktop - to folders on the server, usually under a parent folder such as \\server\sharename\%username%\My Documents, etc. . And if so, what is the process when a directory or file have the same name? I'm thinking primarily about redirecting the Shared Documents paths of each PC to one 'merged' tree on the server. It doesn't work quite like that. It has nothing to do with local folders. You can set up shares on the server, and users can access them - instead of the local shares. I tend to get rid of all local shares and don't let users create them. Finally, assuming everything discussed is set up, and I decided roaming profiles were for me, would it be possible to 'merge' default Administrator accounts from PCs on the workgroup/LAN? No.... If so, how? If not, what is usually done with default accounts when a roaming Administrator account is set up? There's no roaming administrator account. There's a domain account (which is not related to your local accounts). You can set up roaming *profiles* (my lengthy post described how) but I think you're still a little unclear on AD and domain profiles - it's hard to know how to answer your questions. Thanks, by the way, for all this help! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#11
|
|||
|
|||
Default Administrator account as roaming profile?
On Sep 8, 5:58*pm, daztrue wrote:
As you suggested, I've been looking on other forums and sites regarding Windows Home Server, and although it's a hot topic, the general/official concensus appears to be as you described: neither a domain controller, nor able to join one. I also learnt that it is a "subset" (which I assume means a smaller version) of MS Small Business Server, which, again, you also suggested! Naturally, I looked into that, and learnt that 2008 will be released in November. I don't know if you can shed any light on that version, or whether it will still backup client data in the same way as Windows Home Server? Also, I take it SBS 2008 will still work fine with HP MediaSmart Server? And is it installed on the server or on each client - like WHS? Back to the issue of folder redirection: is it possible to redirect various directories from multiple PCs to one directory? And if so, what is the process when a directory or file have the same name? I'm thinking primarily about redirecting the Shared Documents paths of each PC to one 'merged' tree on the server. Finally, assuming everything discussed is set up, and I decided roaming profiles were for me, would it be possible to 'merge' default Administrator accounts from PCs on the workgroup/LAN? If so, how? If not, what is usually done with default accounts when a roaming Administrator account is set up? Thanks, by the way, for all this help! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this:http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** *Do not let people store any data locally - all data belongs on the server. ******************** *The User Profile Hive Cleanup Utility should be running on all your computers. *You can download it he http://www.microsoft.com/downloads/d...d=1B286E6D-891... ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...file-Folder-Re.... "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. The HP server may / may not work, or work well , with SBS 2008. Small Business Server usually may require more powerful hardware to run well. The HP server was designed for the Home Server requirements. |
#12
|
|||
|
|||
Default Administrator account as roaming profile?
Hi again! Hope you're still out there!
Been on different forums/sites and certainly looks like MediaSmart Server not compatible with SBS 2008. The more I delve into this (which I'm okay with) the more I'm hoping I can find a solution to simply use WHS and MediaSmart Server. I just want to be able to have 'proper' admin control over the system and individual user accounts so I can control what runs, what's accesible etc on each account. Especially with kids in mind. I know you said you didn't support Vista, and although I've looked into it, I'm sure you'll know more and could refer me to a similar forum, as it claims to have better admin control. Anyway, just to recap on your last reply: you explained about setting up shares on the server, so you must then redirect folders/files from numerous PCs to that share. This still leaves me wondering about duplicate folders/files because if paths are being redirected from different PCs then there's the possibility of folders/files with the same name. What am I missing? You mentioned getting rid of the local shares and preventing them being created. How? Finally, thanks for explaining about the Domain Administrator, although you didn't tell me what is usually done with the local default Administrator accounts within the domain - or whether anything can be done. "Lanwench [MVP - Exchange]" wrote: daztrue wrote: As you suggested, I've been looking on other forums and sites regarding Windows Home Server, and although it's a hot topic, the general/official concensus appears to be as you described: neither a domain controller, nor able to join one. I also learnt that it is a "subset" (which I assume means a smaller version) of MS Small Business Server, which, again, you also suggested! Naturally, I looked into that, and learnt that 2008 will be released in November. Yes, I believe so. I don't know if you can shed any light on that version, or whether it will still backup client data in the same way as Windows Home Server? No idea, but I find it doubtful. With AD it's far more common to store all data on the server, and nothing at all on workstations. Workstations should be viewed as somewhat interchangeable and generic, in my view. Also, I take it SBS 2008 will still work fine with HP MediaSmart Server? ] No idea...the hardware requirements will be pretty extreme. And is it installed on the server or on each client - like WHS? You install SBS2008 on your server hardware. The client OSes can be Win2k, WinXP Pro, or Vista Business. Back to the issue of folder redirection: is it possible to redirect vaious directories from multiple PCs to one directory? You don't redirect from a PC - you redirect from a profile folder, such as My Documents, Application Data, Desktop - to folders on the server, usually under a parent folder such as \\server\sharename\%username%\My Documents, etc. . And if so, what is the process when a directory or file have the same name? I'm thinking primarily about redirecting the Shared Documents paths of each PC to one 'merged' tree on the server. It doesn't work quite like that. It has nothing to do with local folders. You can set up shares on the server, and users can access them - instead of the local shares. I tend to get rid of all local shares and don't let users create them. Finally, assuming everything discussed is set up, and I decided roaming profiles were for me, would it be possible to 'merge' default Administrator accounts from PCs on the workgroup/LAN? No.... If so, how? If not, what is usually done with default accounts when a roaming Administrator account is set up? There's no roaming administrator account. There's a domain account (which is not related to your local accounts). You can set up roaming *profiles* (my lengthy post described how) but I think you're still a little unclear on AD and domain profiles - it's hard to know how to answer your questions. Thanks, by the way, for all this help! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#13
|
|||
|
|||
Default Administrator account as roaming profile?
daztrue wrote:
Hi again! Hope you're still out there! Been on different forums/sites and certainly looks like MediaSmart Server not compatible with SBS 2008. The more I delve into this (which I'm okay with) the more I'm hoping I can find a solution to simply use WHS and MediaSmart Server. I just want to be able to have 'proper' admin control over the system and individual user accounts so I can control what runs, what's accesible etc on each account. Especially with kids in mind. You'll have to deal with that on the workstation level, then. I know you said you didn't support Vista, and although I've looked into it, I'm sure you'll know more and could refer me to a similar forum, as it claims to have better admin control. Microsoft.public.vista.* These aren't forums, note - they're usenet groups, or newsgroups. Try using a newsreader instead of the web interface - it's a lot better. The following is from a post by MVP Malke ... ------------------------------------------------------- Here's information on Usenet and using a newsreader: http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief explanation of newsgroups http://michaelstevenstech.com/outlo...ssnewreader.htm http://rickrogers.org/setupoe.htm http://support.microsoft.com/defaul...wto/default.asp - Set Up Newsreader http://www.dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html http://aumha.org/nntp.htm - list of MS newsgroups microsoft.public.test.here - MS group to test if your newsreader is working properly http://www.mailmsg.com/SPAM_munging.htm - how to munge email address http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs. crossposting Some newsreaders for Windows http://www.forteinc.com/agent/index.php - for Forte http://www.mozilla.org (Thunderbird does newsgroups) http://gravity.tbates.org/ ------------------------------------- Anyway, just to recap on your last reply: you explained about setting up shares on the server, so you must then redirect folders/files from numerous PCs to that share. Close. You set up shares on the server, and redirect the user profile My Documents folder (and possibly others, such as desktop etc) there. This still leaves me wondering about duplicate folders/files because if paths are being redirected from different PCs then there's the possibility of folders/files with the same name. What am I missing? Each user would have their own parent folder on the server, such as \\server\share$\%username%\My Documents, etc. . But you can't do this without active directory. You mentioned getting rid of the local shares and preventing them being created. How? There would be none by default besides the default admin share, and you would not let your users have admin rights to create shares or folders on the local hard drive. Finally, thanks for explaining about the Domain Administrator, although you didn't tell me what is usually done with the local default Administrator accounts within the domain - or whether anything can be done. You give them very good passwords "Lanwench [MVP - Exchange]" wrote: daztrue wrote: As you suggested, I've been looking on other forums and sites regarding Windows Home Server, and although it's a hot topic, the general/official concensus appears to be as you described: neither a domain controller, nor able to join one. I also learnt that it is a "subset" (which I assume means a smaller version) of MS Small Business Server, which, again, you also suggested! Naturally, I looked into that, and learnt that 2008 will be released in November. Yes, I believe so. I don't know if you can shed any light on that version, or whether it will still backup client data in the same way as Windows Home Server? No idea, but I find it doubtful. With AD it's far more common to store all data on the server, and nothing at all on workstations. Workstations should be viewed as somewhat interchangeable and generic, in my view. Also, I take it SBS 2008 will still work fine with HP MediaSmart Server? ] No idea...the hardware requirements will be pretty extreme. And is it installed on the server or on each client - like WHS? You install SBS2008 on your server hardware. The client OSes can be Win2k, WinXP Pro, or Vista Business. Back to the issue of folder redirection: is it possible to redirect vaious directories from multiple PCs to one directory? You don't redirect from a PC - you redirect from a profile folder, such as My Documents, Application Data, Desktop - to folders on the server, usually under a parent folder such as \\server\sharename\%username%\My Documents, etc. . And if so, what is the process when a directory or file have the same name? I'm thinking primarily about redirecting the Shared Documents paths of each PC to one 'merged' tree on the server. It doesn't work quite like that. It has nothing to do with local folders. You can set up shares on the server, and users can access them - instead of the local shares. I tend to get rid of all local shares and don't let users create them. Finally, assuming everything discussed is set up, and I decided roaming profiles were for me, would it be possible to 'merge' default Administrator accounts from PCs on the workgroup/LAN? No.... If so, how? If not, what is usually done with default accounts when a roaming Administrator account is set up? There's no roaming administrator account. There's a domain account (which is not related to your local accounts). You can set up roaming *profiles* (my lengthy post described how) but I think you're still a little unclear on AD and domain profiles - it's hard to know how to answer your questions. Thanks, by the way, for all this help! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS versions, even between W2k/XP. Keep all your computers. Keep your workstations as identical as possible - meaning, OS version is the same, SP level is the same, app load is (as much as possible) the same. ********************* If you also have Terminal Services users, make sure you set up a different TS profile path for them in their ADUC properties - e.g., \\server\tsprofiles$\%username% ******************** Do not let people store any data locally - all data belongs on the server. ******************** The User Profile Hive Cleanup Utility should be running on all your computers. You can download it he http://www.microsoft.com/downloads/d...displaylang=en ******************** Roaming profile & folder redirection article - http://www.windowsnetworking.com/art...rver-2003.html "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Is it possible for the default Administrator account to be set as a roaming profile on a home server? With multiple PCs on a home network (each with its default Administrator account), I would obviously want all of those to become one roaming account and want to know if it's possible; and if so, how to 'merge' the accounts when changing to roaming profile - and how this is safely processed. If you don't use AD, there are no roaming profiles possible. |
#14
|
|||
|
|||
Default Administrator account as roaming profile?
Hi. Yeah, I'm still at it! Although almost resigning to the fact that I'm
probably not going to have the set up I envisioned, still not quite given up! I read a bit about ADAM (which I understand is now called AD LDS), although I couldn't really get a clear picture of the 'nuts and bolts' of it, and thought you might be able to shed some light on it, and give me an idea whether or not it may be of use to me. Also, regarding the issue of newsreaders: when I followed instructions to set up in Outlook 2003, it then opens Outlook Express (which is the only option available in IE options) and won't let me proceed any further. "Lanwench [MVP - Exchange]" wrote: daztrue wrote: Hi again! Hope you're still out there! Been on different forums/sites and certainly looks like MediaSmart Server not compatible with SBS 2008. The more I delve into this (which I'm okay with) the more I'm hoping I can find a solution to simply use WHS and MediaSmart Server. I just want to be able to have 'proper' admin control over the system and individual user accounts so I can control what runs, what's accesible etc on each account. Especially with kids in mind. You'll have to deal with that on the workstation level, then. I know you said you didn't support Vista, and although I've looked into it, I'm sure you'll know more and could refer me to a similar forum, as it claims to have better admin control. Microsoft.public.vista.* These aren't forums, note - they're usenet groups, or newsgroups. Try using a newsreader instead of the web interface - it's a lot better. The following is from a post by MVP Malke ... ------------------------------------------------------- Here's information on Usenet and using a newsreader: http://www.elephantboycomputers.com/page3.html#12-09-02 - a brief explanation of newsgroups http://michaelstevenstech.com/outlo...ssnewreader.htm http://rickrogers.org/setupoe.htm http://support.microsoft.com/defaul...wto/default.asp - Set Up Newsreader http://www.dts-l.org/goodpost.htm http://www.catb.org/~esr/faqs/smart-questions.html http://aumha.org/nntp.htm - list of MS newsgroups microsoft.public.test.here - MS group to test if your newsreader is working properly http://www.mailmsg.com/SPAM_munging.htm - how to munge email address http://www.blakjak.demon.co.uk/mul_crss.htm - multiposting vs. crossposting Some newsreaders for Windows http://www.forteinc.com/agent/index.php - for Forte http://www.mozilla.org (Thunderbird does newsgroups) http://gravity.tbates.org/ ------------------------------------- Anyway, just to recap on your last reply: you explained about setting up shares on the server, so you must then redirect folders/files from numerous PCs to that share. Close. You set up shares on the server, and redirect the user profile My Documents folder (and possibly others, such as desktop etc) there. This still leaves me wondering about duplicate folders/files because if paths are being redirected from different PCs then there's the possibility of folders/files with the same name. What am I missing? Each user would have their own parent folder on the server, such as \\server\share$\%username%\My Documents, etc. . But you can't do this without active directory. You mentioned getting rid of the local shares and preventing them being created. How? There would be none by default besides the default admin share, and you would not let your users have admin rights to create shares or folders on the local hard drive. Finally, thanks for explaining about the Domain Administrator, although you didn't tell me what is usually done with the local default Administrator accounts within the domain - or whether anything can be done. You give them very good passwords "Lanwench [MVP - Exchange]" wrote: daztrue wrote: As you suggested, I've been looking on other forums and sites regarding Windows Home Server, and although it's a hot topic, the general/official concensus appears to be as you described: neither a domain controller, nor able to join one. I also learnt that it is a "subset" (which I assume means a smaller version) of MS Small Business Server, which, again, you also suggested! Naturally, I looked into that, and learnt that 2008 will be released in November. Yes, I believe so. I don't know if you can shed any light on that version, or whether it will still backup client data in the same way as Windows Home Server? No idea, but I find it doubtful. With AD it's far more common to store all data on the server, and nothing at all on workstations. Workstations should be viewed as somewhat interchangeable and generic, in my view. Also, I take it SBS 2008 will still work fine with HP MediaSmart Server? ] No idea...the hardware requirements will be pretty extreme. And is it installed on the server or on each client - like WHS? You install SBS2008 on your server hardware. The client OSes can be Win2k, WinXP Pro, or Vista Business. Back to the issue of folder redirection: is it possible to redirect vaious directories from multiple PCs to one directory? You don't redirect from a PC - you redirect from a profile folder, such as My Documents, Application Data, Desktop - to folders on the server, usually under a parent folder such as \\server\sharename\%username%\My Documents, etc. . And if so, what is the process when a directory or file have the same name? I'm thinking primarily about redirecting the Shared Documents paths of each PC to one 'merged' tree on the server. It doesn't work quite like that. It has nothing to do with local folders. You can set up shares on the server, and users can access them - instead of the local shares. I tend to get rid of all local shares and don't let users create them. Finally, assuming everything discussed is set up, and I decided roaming profiles were for me, would it be possible to 'merge' default Administrator accounts from PCs on the workgroup/LAN? No.... If so, how? If not, what is usually done with default accounts when a roaming Administrator account is set up? There's no roaming administrator account. There's a domain account (which is not related to your local accounts). You can set up roaming *profiles* (my lengthy post described how) but I think you're still a little unclear on AD and domain profiles - it's hard to know how to answer your questions. Thanks, by the way, for all this help! "Lanwench [MVP - Exchange]" wrote: daztrue wrote: I'm not sure what you mean by "set up a lab (either physical or virtual) and download an eval of Windows server". Can you explain? I'm not sure what's unclear, sorry. A lab is a test network. Physical means you have a bunch of machines on this test network. Virtual means you use virtualization software, such as VMWare or MS Virtual Server or ....Workstation. Eval is evaluation. Does that help to clarify? You also mentioned that I can't use Windows Home Server, which is what I envisioned getting. What's the problem there? As far as I'm aware, Windows Home Server can't be used as a domain controller. I don't use it, though. You'd want to look up documentation or post in a server group for that. Finally, you stressed folder direction (which I've also been looking into) for all data, which I wasn't planning. If you really do use roaming profiles you must use folder redirection, or it will barf at some point. My main intention for a home server (HP MediaSmart) is to redirect shared files to be available across the home network so other PCs won't need to be on, and as a backup resource. That sounds fine. However, your emphasis on tiny profiles makes me wonder whether roaming profiles are practical for my intended setup. No, and not possible, as far as I know. Nor are they necessary. Other than wanting to control everything from one profile, I want to be able to configure/set policies for individual accounts/groups, which I'm lead to believe can only be done with AD. Yes, that's correct. An important point is that I'm also intending to upgrade to Vista Ultimate. There must be some way I can do this? I don't use or support Vista, but I know Vista Business can join a domain. Don't know about Ultimate. Good luck "Lanwench [MVP - Exchange]" wrote: daztrue wrote: My instant reaction was "What's AD?", but from a combination of another forum discussion and the help file I'm guessing yo're referring to Active Directory? Yes. I certainly don't have roaming profiles at the moment as I have no server, OK. but am on the verge of getting one. I've been studying about Group Policy but need to familiarise myself more with the setting up of OUs, domain and Active Directory. Plus, of course, my original question. If you can help that'd be great! I suggest you set up a lab (either physical or virtual) and download an eval of Windows server, XP Pro, and try setting up an active directory environment. Without this there's nothing you can test or play with. You can't use Windows Home Server (if that's what you've got). MS Small Business Server would be a good place to start if you can get your hands on a copy. My boilerplate on roaming profiles is below... ******************** General tips: 1. Set up a share on the server. For example - d:\profiles, shared as profiles$ to make it hidden from browsing. Make sure this share is *not* set to allow offline files/caching! (that's on by default - disable it) 2. Make sure the share permissions on profiles$ indicate everyone=full control. Set the NTFS security to administrators, system, and users=full control. 3. In the users' ADUC properties, specify \\server\profiles$\%username% in the profiles field 4. Have each user log into the domain once - if this is an existing user with a profile you wish to keep, have them log in at their usual workstationand log out. The profile is now roaming. 5. If you want the administrators group to automatically have permissions to the profiles folders, you'll need to make the appropriate change in group policy. Look in computer configuration/administrative templates/system/user profiles - there's an option to add administrators group to the roaming profiles permissions. Do this *before* the users' roaming profile folders are created - it isn't retroactive. ******************** Notes: Make sure users understand that they should not log into multiple computers at the same time when they have roaming profiles (unless you make the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't change them, which has major disadvantages),. Explain that the 'last one out wins' when it comes to uploading the final, changed copy of the profile. If you want to restrict multiple simultaneous network logins, look at LimitLogon (too much overhead for me), or this: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ******************** Keep your profiles TINY. Via group policy, you should be redirecting My Documents (at the very least) - to a subfolder of the user's home directory or user folder. Also consider redirecting Desktop & Application Data similarly..... so the user will end up with: \\server\users\%username%\My Documents, \\server\users\%username%\Desktop, \\server\users\%username%\Application Data. [Alternatively, just manually re-target My Documents to \\server\users\%username% (this is not optimal, however!)] You should use folder redirection even without roaming profiles, but it's especially critical if you *are* using them. If you aren't going to also redirect the desktop using policies, tell users that they are not to store any files on the desktop or you will beat them with a stick. Big profile=slow login/logout, and possible profile corruption. ******************** Note that user profiles are not compatible between different OS |
Thread Tools | |
Display Modes | |
|
|