Setting up a 4 PC network with Windows Server Small Business 2003

[ejoech]

Hi, everyone. Recently purchased a server, 3 workstations, and Windows Server Small Business edition 2003. I thought it would be much easier to get up and running. Anway, I need to set it so if I have 4 user accounts - I can login to any computer using one of those accounts and all of my documents and settings will come up. I also need to be able to restrict access to certain progams, and block users from viewing other files.

I'm under the impression that I need to do this using Active Directory. I tried fooling around with it, but when I logged into an account on Active Directory, all the files were the same as if I logged in locally. I need to know how to start a user name from scratch with only the programs I state installed.

Please help..looking for guides..or anything.

 

[Kelemvor]

Can search for Roaming Profiles (I think that's the name of it) which is the part that makes the desktop and such follow you around wherever you login. I've never seen this actually used at all but that's what it's for. Otherwise you can just setup a share for each person on the server and setup their login script so that when a person logs in, it maps a certain drive to their share. That doesn't bring their desktop and such but if they save all the documents to that share, theny'd have them everywhere they go. I think that's a much more pupolar way to do it.

 

[netsysadmin]

If this is for a business I would really suggest you hire someone that knows how to setup an AD domain. It is not impossible for you to do it, but I have seen some real sloppy security settings when unexperienced people set them up. Sloppy security will most likely lead to you possible getting hacked in some manner. Which will cost more to fix than if you hired a consultant to set it up properly now.

John

 

[loup garou]

Have fun.

Although, personally, I would take netsysadmin's advice.

 

[ejoech]

Yes it is for a business. netsysadmin, I respect your comment, and I don't want to seem like an ignorant fool, but I would really like to learn how to do this. What better way to learn then to actually try, right? I'm not just doing it to cut costs, I'm doing it to learn.

On that note, are there any guides out there on good security measures to take?

Werk, thanks for the link.

Let me just again clarify what I'm looking for, to be sure this is right. In school when we sat at a computer, we were presented with a login screen. We could either login locally, or to the school's domain. If I logged into the school's domain, for example, the ONLY applications I could run were Internet Explorer and Microsoft Word. If I tried to browse files, the only folder I would be allowed to view was my personal home folder.

Thanks for all the help. I'm going to get right on it..keep posting if anyone has any other thoughts.

thanks.

Sage

 

[netsysadmin]

Do you work for or own the business? Because if you set this up and something bad happens you could be placed liable for the damages...I am just warning you. I understand everyone has to start somewhere, but the best place to start is not a functioning business that you could jeopardize by making a mistake. You should really be doing the experimenting at home where if you mess up you start from scratch without causing any harm.

I do consulting work for businesses that I now think twice about doing business with because of their computer setups. Who wants to do business with a company that could possibly leave a security hole that will allow your personal or financial info records out the general public or worse a thief? I am just trying to look out for your best interests. Why not hire a pro to do the initial setup and then you can learn from there. Windows Active Directory is not easy?even most experienced administrators will tell you it can be a pain in the ass for the beginner or even the experienced person!

What exactly is the type of business and what are you going to need the computers to do? Do you just need a file server with a small domain setup or are you going to try and setup Exchange server and host your own email and websites?

FYI...If you setup an AD Domain you want the users to login only to the domain. You do not want to have any local user accounts on the machines except for the admin account with a very strong password. This account allows you a method of getting into the workstaion in case the domain goes down or gets destroyed for some reason. It is only used as a backup.

Good Luck!

John

 

[ejoech]

John,

Thanks for your quick reply!

Yes I work for this company, and yes I'm aware that it is not very smart to take on a project without having the know-how to set it up properly on the first run.

However, I do have a very strong personal relationship with this company, they're not new clients by any means. Also, I know exactly where and what files they need, so I'm not really concerned about messing up their network. Again I appreciate your efforts and while my brain says I should listen to you, I'd still really rather figure it out on my own. Please don't take it the wrong way. I spent a few hours last night with 2k3 Server, initial set up and such. I felt pretty comfortable with it, just wasn't sure how to set up roaming profiles(which I now know the proper name of 🙂).

I also have some "Learn Windows 2003 Server" videos that I've learned a lot from. Unfortunately they don't get into roaming profiles.

Anyway, the business is a small kitchen & home design company.

What I'm looking for is the following:

1 Server - Would like to run as a server and also allow logins to the domain. The main secretary will use this computer for all of her work. I'm not 100% sure if this can be accomplished - that's going to have to be another topic, but I was going to try, and if not, swap in another computer that they have at the office and set the server up solely as a server.
The server needs VPN capabilities as well, but again, that's another topic🙂

3 workstations - For now there will be 4 user accounts, plus ADMIN.

Two accounts need pretty much full access, no restrictions. Need to run Office(esp OUTLOOK)/Internet/QuickBooks They need to be able to view all files created by the other users.

The other two accounts need a much more restricted setup. They should only be allowed to run a kitchen design program and internet explorer, nothing else. I need to set these accounts up so they can't install programs, view other files than their own, etc.

Just to get it all out there, the two main accounts both need to use Outlook and be able to share Calendar and Contacts. No email will be used on the network.
I'm not sure the best way to set it up so they can both view the same calendar and contacts, haven't done much research into this but if you want to help out, go ahead 🙂

And Yes, I planned on not having any local accounts, just the admin.


John, I cannot thank you enough for your help. I hope this post was clear enough for you. You've already done plenty, anything else you can help out with is greatly appreciated!

Thanks,

Sage

 

[netsysadmin]

First thing I will suggest to you strongly is to setup the server machine and do not let anyone use it as a workstation ever! The only work you want to do on the ?server? machine is network administration type work. It does not take much for a user to destroy a machine and cause you to reload it. In a AD domain type setup that would be terrible since the person would be destroying you whole structure. Oh and setup the computers so the users will store all data on the server and not on there own workstations.

Second item I will touch on is roaming profiles. Are you user going to swapping computers a lot or are they typically only be using one computer that will be designated as theirs and maybe the other one if there regular computers goes down? If they usually only use a computer that is say in there office I would recommend that you try to stay away from roaming profiles since they will give you more problems in the long run than benefits.

Last thing for now would be to plan for some form of a backup strategy for the server machine. I suggest that you try and buy something that will backup your network and allow it to do it automatically. I see a lot of people trying to rely on CD?s or DVD?s to backup to manually only to get burned by forgetting to the backup. Check out Iomega?s new drive called the ?REV? drive. It can store a lot of data, but does not cost a fortune.

John

 

[ktwebb]

Your setting yourself up for an awful lot of work. not the initial setup. the repair time once it breaks, IF it's ever setup correctly. You don't learn on production environments, at least not on the architecture of the AD network.

 

[ejoech]

John,

As for as the server being used as a workstation - if using the AD domain setup, wouldn't they just login to the domain, as if using from any other computer? I'm not talking about letting them use the local admin account..just connecting to the domain.

Roaming profiles - Correct. They will have their own computers but may have to use another one if need be. Also they will have to use VPN - can this be done without roaming profiles?

Sorry, I'm still a bit confused. If I don't use roaming profiles, how can I allow one user to access Quickbooks/Office/internet/any other app + all data, but then on the same computer restrict another user to access only office and internet? I guess I'll have to fool around with it more, but last night when I tried, I created two accounts on AD. WHen logging into both of them on a workstation, I was given access to the same programs/files as if I logged on locally. Same desktop and everything.

Yes, I have a tape backup system already installed, I have not configured it yet because I've been tryign to get this working first. Thanks though!

Ktwebb - Thanks for the words of wisdom. You're right, I probably am making a mistake, but, I'd still like to try. Thanks.


Thanks for all the help!

 

[ejoech]

Also, on the Learn Server 2003 videos that I have, the guy uses the "Manage your Server" for adding/removing/managing roles. It seems very easy to do. If I go to manage your server, I don't see "roles" mentioned at all. It brings me to a management console - does the same thing, just not quite as user friendly. I was wondering why this is? Perhaps because I have SBE?

Thanks so much.

 

[netsysadmin]

You do not want any users to login into the "server" machine ever!! Even as domain users if a user infects the machine with a virus or manages to delete some files they can single handily destroy your AD structure.

You dont need roaming profiles to do what you are trying to do. What you do is install quickbooks on the paticular machine and then remove the startup icons un the profile folders for those users that you dont want using Quickbooks. You will also want to setup the permissions of the Quickbooks folder on that machine to restrict it to only the users that you want using Quickbooks to have access to those folders. The same goes for all other programs such as Internet Exporer. You can also setup group policies that restrict what the individual user can see and do.

There is tons and tons to learn> you really should consider hiring someone to do the intial setup. Trust me it is worth it!

John

 

[ejoech]

John,

I should hire you 🙂 Seriously, you've been a great help. I hope I didn't ask too much. I may be setting myself up here, but I'm actually feeling pretty confident based on how far I got last night and what I've learned so far in this thread(a lot!).

Thanks for everything!

 

[ejoech]

Just got back from the office. Another long night. Seemed to go quite smoothly, I think. No problems, just time consuming. Got terminal services up and running at least. Messed around more with AD - users,policies, profiles.

I found out why when I created a new account, it still appeared as if I logged in locally. The ALL USERS profile had all of the desktop shortcuts and program files.

I'm feeling a bit more confident about the whole situation...it seems to be working out okay.

Thanks again for all your help, John. I respect and appreciate you advising me to hire someone else, I'm just too stubborn 🙂