ConsciousVibes.com

Home | Links ( Motorcycles, Computers )

Windows Server 2003 Tips

All of the information, instructions, and recommendations on this Web site are offered on a strictly "as is" basis. Remember "Murphy's Law." Please take the proper precautions before attempting any of the tips or modifications listed here.

Contents

What is Folder Redirection

In computing, and specifically in the context of Microsoft Windows operating systems, Microsoft refers to folder redirection when automatically re-routing I/O to/from standard folders (directories) to use storage elsewhere on a network.

It is often used in an office network environment, to ensure that users do not store data locally, when a network device is the preferred storage location. The My Documents folder is often redirected to a file server.

Advantages include:

• Data is stored on a device where it can be backed up
• If redirection is applied to multiple users, all data is stored in the one location

The redirection is often performed by Group Policy, when used in an Active Directory environment.

References:

• Wikipedia, the free encyclopedia
• Folder Redirection Overview

How to: Enable Folder Redirection Using a Group Policy Object

Preparation

• Windows Server 2003 named SRVR-99
  • DNS and Active Directory installed and properly configured
• Create the C:\Users\ directory
  • Important: Do not modify the local ACL (Access Control List) for the C:\Users\ directory. Windows Server will make the necessary modifications for each users directory.
• Share C:\Users\ as "Users"
  • Important: Click the "Permissions..." button and Allow "Change" for the Everyone group. If this is not done the users directories will not be automatically created on the server when the end-user logs in for the first time. Do not allow "Full Control."
• In C:\Users\, create a directory named "Homes"
  • Important: Do not modify the local ACL (Access Control List) for the C:\Users\Homes\ directory. Windows Server will make the necessary modifications for each users directory.

Steps

Using the "Active Directory Users and Computers" snap-in:

1. Right click on the domain name and select properties
2. Click on the Group Policy tab
3. Click the "New" button to add a new Group Policy Object. Name it "Redirect Users Directories to Server GPO"
4. Right click on the GPO you just created and select properties.
5. Click on the Security tab
6. Deny "Apply Group Policy" for Domain Admins and Enterprise Admins. 
   • Warning: Do not skip this step, else you may be unable to correct a configuration mistake.
   • Warning: Never, ever, deny "Read" for Admins
7. Click OK to exit from the GPO Properties
8. Click the "Edit" button to edit "Redirect Users Directories to Server GPO" using the Group Policy Object Editor
9. Go to: User Configuration > Windows Settings > Folder Redirection to reveal the folders that you can redirect.
10. Right Click on "Application Data" and choose Properties
11. Change the setting to "Basic - Redirect everyone's folder to the same location"
12. For Target folder location: "Create a folder for each user under the root path"
• Note: This option is not available under Server 2000
13. For Root Path, enter the UNC path to the Homes directory on the server. e.g. \\srvr-99\Users\Homes
• Note: For Server 2000, you'll have to append \%username% to the root path. e.g. \\srvr-99\Users\Homes\%username%
14. Click OK to save the configuration
15. Repeat steps 10 - 14 for "Desktop," "My Documents," and "Start Menu"
16. For "Start Menu," if "Create a folder for each user under the root path" is not available, use "Redirect to the following location" and append \%username% to the root path. e.g \\srvr-99\Users\Homes\%username%
17. Close the Group Policy Object Editor
18. Close the properties for the domain (which lists the GPOs)

Notes:

• Users need to logoff, then log back in for the group policy to be applied.
• When each user logs in for the first time, a new directory with their username will be created in C:\Users\Homes\ on the server
• Do not create the directories yourself, else the appropriate security restrictions may not be set.
• You do not have to configure anything in the users profile for Folder Redirection to work.
• This Group Policy will be applied to all users that log into the domain, except Domain Admins and Enterprise Admins.

References and Related Links:

• WindowsNetworking.com: Profile and Folder Redirection In Windows Server 2003

How to: Enable Roaming Profiles

A roaming user profile is a concept in the Microsoft Windows NT family of operating systems that allows a user with a computer joined to a Windows Server domain to log on to any computer on the same network and access his or her local files and settings.

Preparation

• Windows Server 2003 named SRVR-99
  • DNS and Active Directory installed and properly configured
• Create the C:\Users\ directory and share it as "Users"
• In C:\Users\, create a directory named "Profiles"

Using the "Active Directory Users and Computers" snap-in

1. Open the properties for a user
2. Click on the users Profile tab
3. For: User Profile > Profile path:, enter the path on the server where the users profile is to be stored.  e.g. \\srvr-99\Users\Profiles\%username%
4. Click OK to save the settings.

Notes:

• When each user logs in for the first time, a new directory with their username will be created in C:\Users\Profiles\
• Do not create the directories yourself, else the appropriate security restrictions may not be set
• The first time a user logs out their profile is copied to the server.

References and Releated Links:

• MSDN Library: Roaming User Profiles
• Wikipedia: Roaming user profile
• WindowsNetworking.com: Profile and Folder Redirection In Windows Server 2003
• Working with Win2K roaming profiles

Allow Access to a Shared Directory by a User With a Blank Password

OS: Windows Server 2003 R2

1. Open a Command Prompt: Start > Run..., and type in cmd.
2. Run the Group Policy snap in, GPEdit.msc
3. Go to: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
4. Disable, "Accounts: Limit local account use of blank passwords to console only"

How to Enable Logon Screen Shutdown Button

To enable the Shutdown button on the login dialog box:

1. Start the Group Policy (Local) Microsoft Management Console (MMC) snap-in. gpedit.msc
2. Go to: Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
3. Enable "Shutdown: Allow system to be shut down without having to log on"
4. Click OK.

Restrict Local Login

OS: Windows Server 2003 R2

1. Start the Group Policy Snap-in (for the Local Computer) (gpedit.msc)
2. Go to Local Computer Policy > Windows Settings > Security Settings > Local Policies > User Rights Assignment
3. Modify the "Allow log on locally" policy
4. Remove "Users" and "Power Users" from the list