N
NZSchoolTech
We have had one administrator using Vista since the start of the year. Now
we want to bring Vista into use for a group of restricted user accounts, and
by that, I mean that they aren't power users or administrators or anything
like that.
It seems clear to date that MS has put a whole pile of extra security stuff
into Vista that just makes it that much harder for a domain administrator to
set up a PC if the users are not power users and don't have any particular
rights on the local machine. The reason it is clear is we are seeing issues,
errors and problems that don't show up when someone whose account has
privileges logs onto a machine. The experience is completely different from
Windows XP; these issues simply aren't seen there at all.
For example, I kept getting errors when I tried to run GPUpdate and would be
told that the new policy could not be applied. After a lot of toing and
froing, trying to find out about the problem, I found a suggestion that I
needed to give the Domain Computers group security access to the
Organisational Unit in Active Directory where the computer's account was
stored. This fixed the problem.
The main problem that I am still having with the logon is that Folder
Redirection policy cannot complete. This is pretty important because the
user can't get access to their documents, which are stored in a shared
location on the server and are not accessible in their usual profile
location. The event logged for this problem is as follows:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 13/10/2008 9:01:06 p.m.
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: HCS\year9
Computer: CYC-62550.hcs.local
Description:
Windows failed to apply the Folder Redirection settings. Folder Redirection
settings might have its own log file. Please click on the "More information"
link.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy"
Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>1085</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2008-10-13T08:01:06.464Z" />
<EventRecordID>2754</EventRecordID>
<Correlation ActivityID="{A792D6E6-705B-4ACC-A548-016BF5B27D70}" />
<Execution ProcessID="1080" ThreadID="3544" />
<Channel>System</Channel>
<Computer>CYC-62550.hcs.local</Computer>
<Security UserID="S-1-5-21-1131366045-2363284717-2431634961-1704" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">3847</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">7453</Data>
<Data Name="ErrorCode">1003</Data>
<Data Name="ErrorDescription">Cannot complete this function. </Data>
<Data Name="DCName">\\DC01.hcs.local</Data>
<Data Name="ExtensionName">Folder Redirection</Data>
<Data Name="ExtensionId">{25537BA6-77A8-11D2-9B6C-0000F8080861}</Data>
</EventData>
</Event>
--
we want to bring Vista into use for a group of restricted user accounts, and
by that, I mean that they aren't power users or administrators or anything
like that.
It seems clear to date that MS has put a whole pile of extra security stuff
into Vista that just makes it that much harder for a domain administrator to
set up a PC if the users are not power users and don't have any particular
rights on the local machine. The reason it is clear is we are seeing issues,
errors and problems that don't show up when someone whose account has
privileges logs onto a machine. The experience is completely different from
Windows XP; these issues simply aren't seen there at all.
For example, I kept getting errors when I tried to run GPUpdate and would be
told that the new policy could not be applied. After a lot of toing and
froing, trying to find out about the problem, I found a suggestion that I
needed to give the Domain Computers group security access to the
Organisational Unit in Active Directory where the computer's account was
stored. This fixed the problem.
The main problem that I am still having with the logon is that Folder
Redirection policy cannot complete. This is pretty important because the
user can't get access to their documents, which are stored in a shared
location on the server and are not accessible in their usual profile
location. The event logged for this problem is as follows:
Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 13/10/2008 9:01:06 p.m.
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: HCS\year9
Computer: CYC-62550.hcs.local
Description:
Windows failed to apply the Folder Redirection settings. Folder Redirection
settings might have its own log file. Please click on the "More information"
link.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy"
Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>1085</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2008-10-13T08:01:06.464Z" />
<EventRecordID>2754</EventRecordID>
<Correlation ActivityID="{A792D6E6-705B-4ACC-A548-016BF5B27D70}" />
<Execution ProcessID="1080" ThreadID="3544" />
<Channel>System</Channel>
<Computer>CYC-62550.hcs.local</Computer>
<Security UserID="S-1-5-21-1131366045-2363284717-2431634961-1704" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">3847</Data>
<Data Name="ProcessingMode">1</Data>
<Data Name="ProcessingTimeInMilliseconds">7453</Data>
<Data Name="ErrorCode">1003</Data>
<Data Name="ErrorDescription">Cannot complete this function. </Data>
<Data Name="DCName">\\DC01.hcs.local</Data>
<Data Name="ExtensionName">Folder Redirection</Data>
<Data Name="ExtensionId">{25537BA6-77A8-11D2-9B6C-0000F8080861}</Data>
</EventData>
</Event>
--