WIN2K- Setting Up User Profiles/Restrcitions and the works

[abracadabra1]

hey there fellas.
wondering if you could help guide me or better yet, point me in any direction where i can find information on win2k script writing, already written scripts and guides how to set this baby up and tweak her.
also, most importantly, i need to find information on setting up user profiles/restrictions and the rest of those administrative goodies win2k's able to do.
any help is greatly appreciated- thx!

 

[abracadabra1]

ttt!
Help please

 

[GT1999]

Well, I'm not much of a script guy, but I do know how to set up the User Profiles and passwords for Win2000. I've had a lot of experience with it and I'll spill the most important stuff here.

First of all, are you going to have multiple computers with the same User Profiles? If not, skip this paragraph. The best thing to do in this situation is to have one of the computers to do the domain logging (WINS server). You will add the WINS server's IP address into all of the computer's network setting (LAN connection -> Advanced.. WINS server: IP address). From there you will need to enter the users in the Username and Password manager for domains on the WINS server. Note that you'll need a Server operating system for all of this, such as NT 4.0 Server, or Win2000 Adv. Server.

Ok, only one computer, or not Server OS? No problem. If you have multiple computers it will be a bit more of a pain since you won't be able to do Domain logins, but it will work. All you need to is go to the Usernames and Passwords under your start menu and add in the appropriate user names and passwords. If you want to put restrictions on certain users, simply make them "Users" or "Power Users". Also make sure to enable "Hit Ctrl+Alt+Del at login". This will eliminate some security risks. Almost all 'real' programs will only be able to be installed when your Administrator. Once you've done that you can set up a batch file that is run at startup on EVERY profile that might look like the following:

@echo off

del \q "c:\temp\*.*"
del \q "c:\winnt\profiles\cios\personal\*.*"
del \q "c:\ietemp\*.*"

What's really useful in Win2000 is under WINNT/Profiles/ you can use the "All Users" folder for important documents that you want all of the users to have. You can also throw restrictions and such with that folder, but I think I'm already making this too long.

Good luck.

G|T

 

[abracadabra1]

thx for the reply bud.
i know how to setup the user account and how to set them to restricted and assign them a group, but how do i restrict access to areas like network neighborhood, my computer, control panel, and other sensitive areas?
how do i eliminate the start/run command and start/settings command?
how do each of the boxes of the restrictions for a folder work? what does each do?
thx a lot for the help.

win2kpro, not multiple computers, at least not for now.

thx again

 

[abracadabra1]

^^^ more questions...

 

[GT1999]

Once you select a level (User, Power User, Backup Operators, etc) it will automatically give a restriction. Obviously, a Guest won't have as many options as a Power User or Administrator. Sensitive areas that you mentioned are automatically blocked off if they are deemed sensitive; by Microsoft. As an example, I am now logged in under my profile under a certain machine on our domain. I went to the Users and Passwords CP, and the following screen appeared:



<< You must be a member of the Administrators group on this computer to open the Users and Passwords control panel. You are logged in as UTI\tlarmon, which is not a member of the Administrators group. >>



It then prompts for you to enter the administrator's password. Other functions, such as changing the date and time, are denied for certain groups, such as Users. Network settings and even installing programs is restricted when you are a User, hence the name User, you are only allowed to use the computer, not manipulate it. If you're worried about clutter, you could use the a batch file like I mentioned above, and limit IE temp internet files. It sounds like you're also worried about blocking the &quot;start/run command&quot;. There are many programs that can be ran from run, but ones that can be manicious to the system are usually blocked for normal users. I'm sure there are advanced security programs out there that you might want to consider, if security is really an issue; but if you're just talking about trustworthy family members, Win2000's default permissions for certian user groups should be fine.

I hope this helps,

G|T

 

[abracadabra1]

thx again dood, appreciate it a lot.
last little question about that batch file.
so i made a batch file, named it autoexec.bat and put it in my e:\ (ntfs file system) drive.i told windows to load the autoexec.bat file on startup (used x-setup for that). the computer boots...nothing runs...hmmm

also, i used the lines you gave and adjusted them to my settings (e.g. changed path to fit my computer) and the batch file when run manually would request whether or not i wanted the files deleted, thereafter, when i checked the directory files were still there.
also, it could understand the /q command properly.

thx again!

 

[GT1999]

Hrm.. that certianly is odd. I set that batch file up on a NT 4 machine at school, so it could be that Win2000 doesn't recognize that command properly. You might want to try it without the /q (quick delete). Otherwise, you could just manually delete the temp dir every once and a while. For the temp internet settings you could just set the max avail space on the drive to 5 or so meg do keep the clutter down. I'm on dialup and I find it to not cause a huge performance drop while going online.. most of the content you browse is new anyway.

But at least we got all of the user profile stuff covered.

Sorry I couldn't help more with the batch file..

G|T

 

[Rogue]

Check out these pages:

http://www.windows2000faq.com/
http://www.win32scripting.com/

 

[stash]

I need to point out that if you are running a domain with only windows 2000 machines (ie win2k server and win2k pro workstations) then you do not need to install WINS. Run dcpromo to install Active Directory, and DDNS will take care of the rest. Just make sure the clients primary DNS is set to the domain controller.

You can then use the group policy snap in to configure permissions galore for all of your users.

 

[GT1999]

<< Just make sure the clients primary DNS is set to the domain controller. >>



This would be just a BIT of a problem for the machines to resolve DNS, don't you think? When your primary domain controller is a NT 4 Server based system (in my scenario) that runs on the network as just the WINS server, DNS is held by other machines (Pri/Sec DNS servers running Linux, all DNS points to these machines' IP's). Would this leave the workstations looking at the domain controller as it is the pri DNS server, in which it isn't? Also, you don't &quot;Install WINS&quot; as you put it, you simply add the domain controller's IP address into each workstation - if that's what you meant, I misread. From there, you can add your primary (and secondary, if available) DNS server's accordingly.

Now, I might have it wrong with the whole WINS/DNS scenario - but as far as I know a DNS server is fairly important when browsing the 'net, so you are able to resolve IP's. I'm unaware of whether adding the domain controller's IP into the primary DNS would work; it might, but I just can't see HOW. If you know LMK, because this interests me.

 

[stash]

You do not understand, and you are confusing terms. WINS is in fact installed, usually on the domain controller--this is why you put the domain controllers ip address in the network properties on the clients--it points the service running on the domain controller.

Secondly, since it seemed like the original question was on setting up a domain, I suggested, that if all the computers in the domain are win2k, you do not WINS running on the domain controller. Active Directory and the Dynamic DNS that goes with it is all you need--you run dcpromo to upgrade the server to a AD domain controller, and it installs DDNS. Next point the clients primary dns to that server. If they are win2k clients, they will automatically be entered in the dns database.

WINS is an antiquated name resolution system, that ironically, has been redone to its best yet, only just at the time that it is being phased out by Microsoft. DNS and specifically DDNS is the wave of future, because of its simply hierarchecal structure.

In your scenario, with dns running on non-windows boxes, you would point the clients to those boxes, and yes, you would probably need WINS running somewhere for windows name resolution. My only suggestion was for a native mode, windows2000 domain, with just DNS running on the domain controller.

In fact, now that I think about it, you only need DNS, and not Active Directory. DNS alone in win2k server is by default Dynamic, so its simplicity can be used without the complexity of AD.

 

[GT1999]

<< In your scenario, with dns running on non-windows boxes, you would point the clients to those boxes, and yes, you would probably need WINS running somewhere for windows name resolution. My only suggestion was for a native mode, windows2000 domain, with just DNS running on the domain controller >>



Exactly what I was looking for. I understand how DNS works, but I'm quite ignorant when it comes to WINS. Thanks for the clarification.

G|T