Lanwench
Thu Mar 27 08:59:22 PDT 2008
F3 <f3_evans@hotmail.com> wrote:
> LW,
>
> Thanks for the suggestions and the nod to the correct newsgroup. I'll
> be posting there primarily and possibly cross-posting here as
> necessary WRT this project.
>
> How do I force an immediate refresh/update system-wide of policy
> changes, etc.?
>
> F3
gpupdate /force
>
> Lanwench [MVP - Exchange] wrote:
>> F3 <f3_evans@hotmail.com> wrote:
>>> What's an "OU"?
>>
>> Organizational Unit. :)
>>> Yes, unfortunately, I did mess with the default policies instead of
>>> creating my own group policy objects.
>>
>> Ah. You might want to back out your changes (or restore from backup)
>> and start over, honestly. The SBS2k group is
>> microsoft.public.backoffice.smallbiz2000. I see you also posted in
>> the SBS2003 group & another server group - but SBS often does things
>> its own way....post in the most relevant group for the most expert
>> help (and remember to crosspost next time if you need to post to
>> multiple groups).
>>> Thanks.
>>>
>>> Lanwench [MVP - Exchange] wrote:
>>>> F3 <f3_evans@hotmail.com> wrote:
>>>>> I'm Running Windows 2000 Small Business Server as a PDC/DC/AD,
>>>>> DNS, and Terminal Server with a Windows 2003 Server running DHCP,
>>>>> DNS, and File Server. Clients are Windows XP Pro.
>>>>>
>>>>> On the W2K SBS, I set the default policy to include folder
>>>>> redirection of the users' "My Documents", etc. folders. In AD, I
>>>>> set the users profiles to be redirected (different path, same
>>>>> server, W2K3) as well. The redirection is not working
>>>>> consistently. I've had cases where a
>>>>> user logs in from one computer and their folders are redirected.
>>>>> The same user goes to another computer and logs in - the folders
>>>>> are NOT redirected. It is "hit and miss" as to whether the
>>>>> folders/profiles are redirected or not.
>>>>>
>>>>> What should I check to diagnose and fix these problems? What
>>>>> needs to be changed?
>>>>
>>>> When you say "default policy" what do you mean? I always suggest
>>>> creating your own group policy objects & linking them at the
>>>> appropriate OUs. Don't mess with the default policies.
>>>>
>>>> Here's my boilerplate on roaming profiles....review it & see if
>>>> anything in your setup stands out, and check your event logs &
>>>> rsop.msc output on the clients.Note that this was written with
>>>> W2003/WinXP in mind, but most of it should be the same.
>>>>
>>>> Also note that SBS does many things its own way - in the future,
>>>> you should always post SBS questions in the appropriate SBS group,
>>>> even if you crosspost to the regular groups.
>>>>
>>>> ********************
>>>> General tips:
>>>>
>>>> 1. Set up a share on the server. For example - d:\profiles, shared
>>>> as profiles$ to make it hidden from browsing. Make sure this share
>>>> is *not* set to allow offline files/caching! (that's on by default
>>>> - disable it) 2. Make sure the share permissions on profiles$
>>>> indicate everyone=full control. Set the NTFS security to
>>>> administrators, system, and users=full control.
>>>>
>>>> 3. In the users' ADUC properties, specify
>>>> \\server\profiles$\%username% in the profiles field
>>>>
>>>> 4. Have each user log into the domain once - if this is an existing
>>>> user with a profile you wish to keep, have them log in at their
>>>> usual workstationand log out. The profile is now roaming.
>>>>
>>>> 5. If you want the administrators group to automatically have
>>>> permissions to the profiles folders, you'll need to make the
>>>> appropriate change in group policy. Look in computer
>>>> configuration/administrative templates/system/user profiles -
>>>> there's an option to add administrators group to the roaming
>>>> profiles permissions. Do this *before* the users' roaming profile
>>>> folders are created - it isn't retroactive. ********************
>>>> Notes:
>>>>
>>>> Make sure users understand that they should not log into multiple
>>>> computers at the same time when they have roaming profiles (unless
>>>> you make the profiles mandatory by renaming ntuser.dat to
>>>> ntuser.man so they can't change them, which has major
>>>> disadvantages),. Explain that the 'last one out wins' when it
>>>> comes to uploading the final, changed copy of the profile. If you
>>>> want to restrict multiple simultaneous network logins, look at
>>>> LimitLogon (too much overhead for me), or this:
>>>>
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=8768 ********************
>>>> Keep your profiles TINY. Via group policy, you should be
>>>> redirecting My Documents (at the very least) - to a subfolder of
>>>> the user's home directory or user folder. Also consider
>>>> redirecting Desktop & Application Data similarly..... so the user
>>>> will end up with: \\server\users\%username%\My Documents,
>>>> \\server\users\%username%\Desktop,
>>>> \\server\users\%username%\Application Data.
>>>>
>>>> [Alternatively, just manually re-target My Documents to
>>>> \\server\users\%username% (this is not optimal, however!)]
>>>>
>>>> You should use folder redirection even without roaming profiles,
>>>> but it's especially critical if you *are* using them.
>>>>
>>>> If you aren't going to also redirect the desktop using policies,
>>>> tell users that they are not to store any files on the desktop or
>>>> you will beat them with a
>>>> stick. Big profile=slow login/logout, and possible profile
>>>> corruption. ********************
>>>> Note that user profiles are not compatible between different OS
>>>> versions, even between W2k/XP. Keep all your computers. Keep your
>>>> workstations as identical as possible - meaning, OS version is the
>>>> same, SP level is the same, app load is (as much as possible) the
>>>> same. *********************
>>>> If you also have Terminal Services users, make sure you set up a
>>>> different TS profile path for them in their ADUC properties - e.g.,
>>>> \\server\tsprofiles$\%username%
>>>>
>>>> ********************
>>>> Do not let people store any data locally - all data belongs on the
>>>> server. ********************
>>>> The User Profile Hive Cleanup Utility should be running on all
>>>> your computers. You can download it here:
>>>>
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
>>>>
>>>> ********************
>>>> Roaming profile & folder redirection article -
>>>>
http://www.windowsnetworking.com/articles_tutorials/Profile-Folder-Redirection-Windows-Server-2003.html