Trying to create mandatory profiles....

[jim]

I want to control the user desktops (not allow them to install stuff or hose
up the desktop for the next user) and I am trying to create mandatory
profiles on a Windows 2000 Server.

The Windows 2000 Server Administrator's Companion (Microsoft Press), on page
276, says to...

"1. Create a user account with a descriptive name.... This is just a blank
account that you'll use to create a template for the customized
configuration.

2. Log on using the template account and create the desktop settings you
want, including applications, shortcuts, apperance, network connections,
printers, and so forth.

3. Log off the template account. Windows 2000 creates a user profile on the
system root drive in the Documents And Settings folder. ....

4. Log on using an administrator account. Open Active Directory Users and
Computers, and find the account for which you want to assign the customized
roaming profile."

I'll stop here....because I can't get passed step #2.

When I log off the server as Administrator and try to log in as my template
user, I get a "Logon Message" that says "The local plicy of this system does
not permit you to logon interactively."

So I logged back in as Administrator, and added the user to the Local
Security Settings>User Rights Assignment>Log On Locally policy setting. I
also checked that Users group was checked there.

I tried logging in locally as Template again and got the same message.

What am I doing wrong?

jim

 

[Marcin]

Jim,
have you verified that the Effective Policy Setting checkbox for Log on
Locally user right assignment is marked on for the user/group in question?
Do you have by any chance an overlapping group configured with "Deny log on
locally" setting?

hth
Marcin

 

[jim]

Jim,
have you verified that the Effective Policy Setting checkbox for Log on
Locally user right assignment is marked on for the user/group in question?
Do you have by any chance an overlapping group configured with "Deny log
on locally" setting?

It was not checked and I could not chnage it from where I saw it (kind of
greened/greyed out).

I don't know what policies my be overlapping that could hamper this. Is
there an easy way to find out?

jim

 

[Paul Bergson [MVP-DS]]

The easiest thing to start with is REMOVE all users from the local
administrators group. If they aren't members of this they can't install new
software.

Point the users profile to a network location that is within their work
area, such as within their home folder. This is done from within ADUC, that
way if they damage something it only impacts their desktop.

Make the "All Users" folder read only for everyone but the Local
Administrators

This will get you a good start. I created mandatory roaming user profiles
for an airline hangar system and it took a while to get it all locked down.
I ended up getting some help from somebody writing some code to block users
from doing something's that you just couldn't lock down back in W2K.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Marcin]

Execute gpresult.exe from the Command Prompt while logged on as admin to the
server in question...

hth
Marcin

 

[jim]

That is not a recognized command on this server.

I wonder if the text meant to log in to a PC as the template profile instead
of to the server?

jim

 

[Paul Bergson [MVP-DS]]

It is part of the Resource Kit
http://www.petri.co.il/download_free_reskit_tools.htm

http://support.microsoft.com/kb/321709



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.