Windows 2000 Server config ...

[b4u]

Hi,

I recently installed a small network, composed of:

1 Windows 2000 Server (Server )
3 Windows 2000 Professional (Workstations)

On the server, I installed Active Directory, and DHCP. I created the IP scopes, the user profiles, and it seems to be working fine ...

... but I would like to ask some questions:

[1] Just to be sure, the DNS service on the server was installed with Active Directory, right?

[2] I would like for the users (or some of them) to have a given network resource (a documents file in the server) mapped as a network drive, like H: pointing at \\SRV00\Share_Docs\. How do I make it? I know I can access it through the network, right-click the shared folder, and select "Map Network Drive", but that would have to be made to ALL user profiles ... there seems to be a way of making it through a script, afected to the user (or user group) itself ... any computer he connects, at any time, the drive will be mapped on the "My Computer" (if the resource is not available, it will have a red cross on it)

[3] Is there a way of making the user preferences be saved in the server, under his user profile? For example, if I change my view folder settings, or even the background picture, when I connect through another computer, I will have to set them all again ... (personal settings are saved on the workstation itself). But if it could be saved on the server, any computer I connect through, will get this settings FROM the server.

[4] I installed WinZip 8.1 on a workstation, the user had Administrator previleges. The installation did not ask whether I want to install in that specific user, or to all users. After install, I registered the product (entered user/serial). When I log with another user, I can see the files with the zip icon attached, but when I tried to open them (or just open winzip from the menu), the winzip installation pops up again ... this happens the first time I access winzip, for any user ... after installation, it works fine from there ... but I already installed it in the first place with the Administrator user ... any clues?


Thank you for your attention.

 

[yruffostsif]

1) DNS was installed because Active Directory requires it.

2) Create the share on the server, in the Winnt\Sysvol\sysvol\[YOUR DOMAIN NAME HERE]\scripts, create a batch file that maps the network drive....example logon.bat:

@echo off
net use H: /delete
net use H: \\SRV00\Share_Docs

In active directory users and computers, right click the user and select properties, on the profile tab enter logon.bat in the box next to Logon Script:, repeat for each user

Alternatively you can setup shared folders for each user and in ADUC, use the connect to option under home folder. Seclect a drive letter then Enter: \\SERVERNAME\%USERNAME%

The logon.bat would then look like this:

@echo off
net use H: /delete
net use H: /HOME

I would take this a step futher and apply a GPO to your users that redirects their My Documents to their Home Directory. That way every save dialog would point to your network share and thus hopefully all their files would be centralized. Of course, if you don't backup the server, then it's kind of pointless.

3) That would be accomplished by using roaming profiles. Under the profile tab of the user, set the profile path to: \\SERVERNAME\Profiles\%USERNAME%
Make sure you have a share setup on the server called profiles and share it using permissions that allows the user to change. The client will set the NTFS permissions the first time it saves the profile.

4) Winzip is user specific, it's config lies in the HKLU registry path, not the HKLM. So everytime a new user logs in and runs, you'll get the setup dialog again. A quick fix around this is to change the profile settings for the default user. I'm not going to get really detailed, but this is how you accomplish this:

1 - Setup a user with all the settings you like. Reboot.
2 - In the Documents and Settings folder, find the user you used, open the folder, select all the contents of the folder, copy.
3 - Find the Default user folder under Documents and settings. Delete all the contents. Paste the contents you just copied.
4 - Now when a new user logs in, you will get about 95% of the settings you setup.
Tips: Create a new local account, not a domain account when you do this. Remove the local account when your done.

Any more detailed instructions can be found using google. I posted this from memory, so it may not be 100% accurate or there's always many other ways to accomplish the same goal.

 

[SoulAssassin]

No offense b4u but I think I'm going to stop answering questions like this because if you're able to acquire a copy of 2KAS and figure out how to install AD then you should be able to figure stuff like this out. There's too many knuckleheads running domains out there.

 

[spyordie007]

Generally I would agree with that, but I usually will give them the benefit of the doubt with questions like this because they are often students who are looking to understand it better.

On the other hand if they are students looking to learn it we should let them break it a few times because they will learn it much quicker that way...

-Spy

 

[SoulAssassin]

Originally posted by: yruffostsif


3) That would be accomplished by using roaming profiles. Under the profile tab of the user, set the profile path to: \\SERVERNAME\Profiles\%USERNAME%
Make sure you have a share setup on the server called profiles and share it using permissions that allows the user to change. The client will set the NTFS permissions the first time it saves the profile.

Applying change permissions at the share level would grant users change access to other users profile (and possibly their my documents folder depending on where you're redirecting it to). A malicious user or someone who thinks they know what they're doing may eventually figure this out and wreak havoc. Apply authenticated users or everyone read at the share level and either write a script to create and xacls on the users directory or have an admin permission it manually depending on the number of users. It's a b!tch but it's the "right" way to do it.

spyordie007

You might be right. I just have a feeling half the people don't bother to investigate the problem first and are just looking for an easy way out.

 

[b4u]

Offence NOT taken SoulAssassin , but yes you're right, I did the most difficult part, which was to configure all stuff together ... maybe I would just have to spent a little more time around ADUC

And yes I broke my head a few times to set up this LAN properly I never have configured a server from scratch, only partially (basic management, mainly).


But the replies not only cleared up my mind, but gave me some more ideas to setup, and a few more topics for me to google for.

I just don't like to run a wizard and next-next-next-next-finish ... I really like to understand exactly how it works, because as you all know, when problems arise, that's when men (and women ) distinguish (sp?) from each other


Thanks to all

 

[yruffostsif]

Applying change permissions at the share level would grant users change access to other users profile (and possibly their my documents folder depending on where you're redirecting it to). A malicious user or someone who thinks they know what they're doing may eventually figure this out and wreak havoc. Apply authenticated users or everyone read at the share level and either write a script to create and xacls on the users directory or have an admin permission it manually depending on the number of users. It's a b!tch but it's the "right" way to do it.

If you have a malicious user on a home network, I would suggest beating the living $|-|I7 out of them.

Applying change permissions at the share level for the roaming profiles share is a must. It can be set to domain users, authenticated users, or even per user, but the share permission cannot be read. NTFS permissions that are exclusive to the user are set to the individual user's profile folder after the first use. Not even an administrator can access those files. If need be, an administrator can take ownership and add an account to the ntfs.

 

[spyordie007]

Originally posted by: yruffostsif

Applying change permissions at the share level would grant users change access to other users profile (and possibly their my documents folder depending on where you're redirecting it to). A malicious user or someone who thinks they know what they're doing may eventually figure this out and wreak havoc. Apply authenticated users or everyone read at the share level and either write a script to create and xacls on the users directory or have an admin permission it manually depending on the number of users. It's a b!tch but it's the "right" way to do it.

If you have a malicious user on a home network, I would suggest beating the living $|-|I7 out of them.

Applying change permissions at the share level for the roaming profiles share is a must. It can be set to domain users, authenticated users, or even per user, but the share permission cannot be read. NTFS permissions that are exclusive to the user are set to the individual user's profile folder after the first use. Not even an administrator can access those files. If need be, an administrator can take ownership and add an account to the ntfs.

So you're recommending that the users get read/write/change permission privilages but not read permission (I'm assuming to only child objects and not the parent)? By your saying that the permissions are set exclusive to the user upon the first use it sounds fairly straight forward. This sounds like it would work fine considering that once they have created a folder and set the permissions on the folder (self full control) only they could get into it, admins of the server could (if need be) take permission over the profile and change the permissions however by default would have no rights.

I've never done roaming profiles before but may have a need to at some point in the future so I would appreciate the clairification as to how you have/would reccomend doing it.

Thanks

-Spy

 

[yruffostsif]

For roaming profiles:

I like to hide the profile share: \\SERVERNAME\Profile$

You create the profile folder, set NTFS permissions as follows: Break the inheritance. (Everyone: Change, Administrators(domain, local, whatever): Full Control)
Now Share the profile folder, set permissions as Everyone (or domain users, authenticated users, whatever you want to restrict to) Change, Administrators(domain, local, whatever): Full Control

Now what happens is this: after you populate the user's profile path in ADUC (I always use \\Servername\profile$\%USERNAME%) and the first time the user logs off, it will automatically create a folder in the profiles folder (it will be the user's username), it will set NTFS full control rights only to the user). Therefore a user who happens to stumble across the profiles share couldn't view anyone's folder but their own (if they have one). It's only a pain when you, the admin, wants to look or delete a user's folder. You have to take ownership of the folder and files, and then set permissions that allow you to manage them.

Using the variable %USERNAME% is what makes all this happen automatically and is great because when setting up new users, you don't have to define the profile path everytime.

The real downside of roaming profiles is that it takes a lot of effort to keep things in order. IE Temporary Files on each client should be set to something small like 20MB otherwise you spend quite a long time sync'ing at log off. Same goes with files on the desktop. Using roaming profiles with a GPO defining profile sizes and what to sync is the only way to go.

Hope this explanation clears it up

 

[SoulAssassin]

Unless I smoked alot of crack this morning (which I may have) users do -not- need change permission at the share level. We use a 'root\users\%username%' structure with the root directory shared. Users have read access to root\users and we explicityly assign permissions to the username folder w admins as full control and users rwx. All permissioning is done through a custom VB script so creating and moving users is a fire and forget process.

I don't think he ever mentioned it was a home network, but if he had the friends I had you need to keep everything tight.

 

[spyordie007]

The real downside of roaming profiles is that it takes a lot of effort to keep things in order. IE Temporary Files on each client should be set to something small like 20MB otherwise you spend quite a long time sync'ing at log off. Same goes with files on the desktop. Using roaming profiles with a GPO defining profile sizes and what to sync is the only way to go.

With roaming profiles when a new profile is created (user logs in for first time) does it pull the default profile off the local machine or from your profile share? (i.e. "\\server\share\default user")

Thanks for clairifying.

-Spy

 

[yruffostsif]

I see where you headed now.

This I've never tried....taking a new user and setting it up ahead of time. I've always let the PC use the default user, setup to my liking, and then let it sync up when I log the user off.

If you pre-populated the roaming profile folder with an actual profile from somewhere else (another user perhaps) and applied the correct NTFS permissions, it should work.

 

[yruffostsif]

Originally posted by: SoulAssassin
Unless I smoked alot of crack this morning (which I may have) users do -not- need change permission at the share level. We use a 'root\users\%username%' structure with the root directory shared. Users have read access to root\users and we explicityly assign permissions to the username folder w admins as full control and users rwx. All permissioning is done through a custom VB script so creating and moving users is a fire and forget process.

I don't think he ever mentioned it was a home network, but if he had the friends I had you need to keep everything tight.

Share permissions with NTFS, how can you give a user read on the network share and expect that user to write to anywhere even if they have NTFS anywhere else? On your root of the share, of course the NTFS permissions would be no user can write....only in their respective directories. Then you have to pre-create all the shares and set permissions. In the roaming profile suggestion that I made (and only for roaming profiles - I wasn't talking about the user's home directory), if you want the system to do all the work, you have to give the user at lease change to the profiles share and NTFS. And to clarify further, I would never use a user's home directory to store their roaming profile.

Everyone has their own routine...for share permissions, I usually will leave it wide open, everyone full control, then lock it down with NTFS. Only when the situation deems it, will I use a combo of both.

 

[spyordie007]

yes

your share permissions would be "everyone full control" but you would setup the NTFS permissions on that directory to be "Authenticated Users Read w/ full controll to all child objects".

Does anyone know where the default profile would get pulled from?

-Spy