Shortcuts on Desktops using Active Directory

[JBellMCSE]

Okay, I am in the middle of planning a huge Active Directory/Echange 2000 rollout for my company. We are running 3 DC's at the HQ. 2 of them Windows 2000 (one of which is the Exchange server) and one Windows 2003. We have 14 branches, (mixed Windows XP and Windows 2000 Machines) but none of our network is meshed. Basically a point to point connection to each branch. Kind of a star shaped network. We are running Frame Relay and do not have the best bandwidth in the world. We are going to have a file server at each branch. I was thinking of making each of these a global catalog server also. Any suggestions? We have many programs that will run off of the file servers through shortcuts on the users desktops. I know I can make a logon script and apply it through group policy out to the desktops. I've done this for certain files, but never for shortcuts. It doesn't seem to work in my test domain. This is what I am doing....

1.Making shortcut of program
2.Putting shortcut in a shared folder
3.Writing batch file...

copy "\\test-dc1\shortcuts\homeland.ink" "C:\documents and settings\all users\desktop"

4.Save this as a .bat file
5.In AD users and computers, I apply it as a logon script in group policy to the OU that I want.
6.Wait for replication
7.Logon as user in correct OU
8.Get nothing................................

Any suggestions?
Any help would be appreciated

 

[Diaonic]

You could just use "Net Use" an mount a volumne. They would have to browse to my computer to see the volumne but that's not that hard.

Here's an example

net use p: \\servername\directory /persistant:no

Obviously you would put whatever drive letter, servername and directory you want.

Not sure if this helps.

 

[speed01]

You are aware that the shortcut suffix is .lnk and not .ink right?

Speed

 

[Woodie]

So many things...

1. 3 DCs is NOT a huge rollout. (we have >150, and we're not that big)
2. Putting file/print/ANY application on a DC is generally NOT a good idea. Keep in mind that a GC is a DC, so now you're increasing the number of DCs (which is probably a good idea), but mixing the applications running on your servers. BTST, it'll get ugly.
3. Since you're limited on bandwidth to your field offices, you'll want to put a DC into each office that meets certain criteria: typically the number of users. We use 25. (If you have more than 25 user in the office, then you get a DC. If you have more than 300, or you're a critical business site, then you get 2 DCs).
4. Script: Non-administrators don't have the WRITE privilege to the "All Users" folders. You would really want to write that more as a:
copy \\sourcestuff\ %USERPROFILE%\Desktop
But, do you want EVERY user, running a networked FILE COPY every time they log in? How 'bout you do it once in build/first login, and then stop?

oh yeah: Do yourself a favor: do NOT run Exchange on a DC!

 

[JBellMCSE]

Cool, thanks guys. Well, okay the rollout is not HUGE! LOL It's just that, the network now is set up basically like a HUGE workgroup. The people log in with the name of the PC. There is NO security whatsoever. Nothing is central. We have to do sneakernet to each PC. About 400 PCs. LOL! That .ink thing is probably whats getting me. I will definitely use that "net use" script. Yah, and no it probably wouldn't be a good idea to have them pull it everytime. Certainly some great tips guys. THanks very much. I'm just trying to get all of this in order. Okay, so Do NOT run exchange on a DC. Any reasoning behind this? Our branches have maybe at the most 50 hosts.

 

[Woodie]

Mixing applications and authentication is just a bad idea.

When you have a DC problem, and need to apply a hotfix, you now have to wait for the email team to complete the testing on their server, before you can fix your problem. Email is particularly bad, because it's such a visible, mission-critical application. Introducing delays, or even refusing to apply patches will become a headache over time, particularly with security patches/hacks coming out so frequently.

FWIW, we have > 25,000 user accounts, with 90%+ of them having/using email on just two Exchange servers. We even had to add two additional DCs, segregated for sole use by the Exchange servers. I wouldn't recommend this configuration for so many users, based on our experience.

For you apparent size, I would guess that centralized exchange (on non-DCs) would be appropriate, with some remote DCs at the larger sites. Because of your limited bandwidth, you'll probably want to schedule replication, but I wouldn't anticipate huge problems there. I would check w/ your network folks, and see if port contention is an issue w/ the frame relay network. That's one of our recurrent problem points.

 

[JBellMCSE]

Okay, what exactly did you mean by this.....


4. Script: Non-administrators don't have the WRITE privilege to the "All Users" folders. You would really want to write that more as a:
copy \\sourcestuff\ %USERPROFILE%\Desktop
But, do you want EVERY user, running a networked FILE COPY every time they log in? How 'bout you do it once in build/first login, and then stop?


I'm an Admin for the domain. How do I do the "build/first login and then stop" Will it just pull it once and thats it?

I just want to make it as easy as possible for the users to access their own private folders, the public folder for the department and access the shortcuts to programs running on the server. How can I do this?

 

[Woodie]

Explanation:
Logon scripts run in the security context of the USER, so only have the USERs privileges. Most USERs do not have ADMINISTRATOR privileges on their workstation.
The %USERPROFILE% is a default environment variable, that points to c:\Docs & settings\USERID. (on your workstations, run CMD, then SET to display the environment variables)

Solution:
I don't know.
You can add keys to the registry, to the RunOnce key.
I would try this first:
Since the login script will be cached on the clients (courtesy of the GPO), that script will only get pulled back down if the GPO changes.
So, in your script, do:
ifexist c:\%userprofile%\desktop\shortcut.lnk then next
else copy \\source\files c:\%userprofile%\Desktop\
This way, if the user ever deletes it, it'll show up again the next time they logon.

 

[JBellMCSE]

I Really Appreciate your advice. I get what you mean about the Administrative rights now. How do you, in your network, allow users to access these types of things?

So in the script I can do this exactly?

ifexist c:\%userprofile%\desktop\shortcut.lnk then next
else copy \\source\files c:\%userprofile%\Desktop\


Replacing the source of course. I'm sorry, I'm new to making scripts

 

[Woodie]

NO! script text will depend on the language you're using.
batch is different from perl which is different from vbs

Since you obviously don't have/know perl, then I'd lean towards vbs...much more functionality than batch, even though there's a learning curve.

 

[JBellMCSE]

Cool! The net use works fantastic for mapping the public folder in each department for each department. I am trying to map the home folder of each user to the user as a mapped drive. Here is my batch script


@ECHO OFF

net use z: "\\test-dc2\%USERPROFILE%"




Doesn't work.

 

[Woodie]

of course not. %USERPROFILE% expands out:

USERPROFILE=C:\Documents and Settings\USERID
so, your net use is:
net use z: "\\test-dc2\C:\Documents and Settings\USERID

Can't do that. Need something else, like:
net use z: \\test-dc2\%USERNAME%
...as long as you create sharepoints for each USERNAME on the server.

btw, are you an MCSE?

 

[JBellMCSE]

Heh, sorry man! Yes I am an MCSE but I never learned how to make logon scripts. I learned what they do, but never actually how to make them. I know how to implement them into the network, but not the correct way to make them. Kinda strange, from what I learned, they had about two paragraphs on logon scripts and then moved on. This is the first time I am actually trying to use them.

 

[Woodie]

spend the time, learn how to use vbs. *VERY* useful for managing/monitoring:
Exchange
Workstations
Servers
Inventory
hardware
Active Directory
Certificate Authority
WMI
User Environment
ADSI usage
Provisioning/deprovisioning
etc...

 

[TiziteLayinLow]

im just a college kid learning MS servers.. but i know VB which is basically vbs.. and it is very helpful with almost anything that i want to do.. with the usage of API you can control almost anything that is on your system .. implementation over a large network to handle things would help extremely well...

for example right now i am working at best buy as a technician and when the sales guys sell a computer they try to get teh security package.. so i wrote a program that will stay on our file server and run remotely.. no need to install..

it will ask for a norton antivirus cd key..you put that in.. and it looks in the registry for updated hotfixes and if they arent there it installs them.. installs the norton from the files on teh server, sets the homepage for the user, deletes all teh BS icons, and tweaks some win xp settings.. this is just the most recently example that i can think of..

as far as DC and things like that.. ive never learned how to even setup a server on domain based .. my home is setup as workgroup .. but im excited to learn which i will be learning in the fall quarter of this year.. and hopefully getting MSCE.. any sites you guys have to prepare me .. any basic tutorials on domain controlled networks let me know.. like i said im an extreme noob to MS server based equipment so something for my level..

good luck with your network.