managing users/profiles in active directory 1

[apj77]

I am setting up a small business with active directory and I could use some help. I have a few parts to this question.

1. How do I setup a group so that all users can had admin right on workstations but not on the server?

2. I want to setup roaming profiles so that desktop settings and My Documents folder are the same on every computer.

3. I want to preconfigure every to use the same printer.

4. Can I prevent local profiles from being created?

All the clients are XP PRO.

TIA

 

[Aslamvs]

HI,

1>. How do I setup a group so that all users can had admin right on workstations but not on the server?

For Setting that kind of group
Start Active Directory Users and Computers, right-click the organizational unit, and then click Properties.

Click the Group Policy tab, click NEW, and then name the policy.

Click the policy, and then click Edit

Right-click Restricted Groups (under Computer Configuration\Windows Settings\Security Settings\Restricted Groups), and then click Add Group.

Click Browse. Focused on the local computer, click the group to which you want your global group to be a member (in this case, the "Administrators" group), click ADD, and then click OK. You are returned to the group policy and you see the administrators group listed in the Restricted Groups window.

Right-click the group, and then click Security

To the right side of the Members of this Group box, click ADD, and then click Browse

Locate the group in the organizational unit that you want to place in the administrators group, and then add it the group. After you do so, close the group policy.
At a command prompt, type secedit /refreshpolicy machine_policy /enforce, and then press ENTER

NOTE: From any of the workstations or member servers in that organizational unit, you can view the local groups and see that the global group is a member of the administrators local group.


2>I want to setup roaming profiles so that desktop settings and My Documents folder are the same on every computer.

For setting roaming proflies create a folder called profiles on your server share the same. Then go to Active directory users and Computer .
In your Proerpties At profile path give path as
\\servername\share\%username%

this will create roaming profiles for the user. and make sure on profiles folder user should have chhange permissions.

3>I want to preconfigure every to use the same printer

For adding network printer for all users You can publish your printer in active directory and map them for the users and another this you can do is Install the printer on network printer then use "con2prt.exe" from Zero administration kit .
This utility will allow you to install the network printer using command line.
see
con2prt /?
using this exe create a batch file and call the same in login script. this will install network printer for all users.

4>Can I prevent local profiles from being created

You cant prevent local profiles from creating but one thing you can do delete cached roaming profiles from the local PCs using GPO

Open the GPO you wish to modify, such as the Default Domain Policy

Navigate to Computer Configuration / Administrative Templates / System / Logon

Double-click Delete cached copies of roaming profiles

Press Enabled

Press Apply

HTH Aslam

 

[apj77]

Aslam. Thanks for the help. I know it was a lot but I was stuck. I owe you one!

Cheers,