Step-by-Step Guide to Managing the Active Directory

  • Doc File 859.50KByte



Step-by-Step Guide to Managing the Active Directory

| |

|Document Change Control Table |

|Version |Date of |Author(s) |Brief Description of Change(s) |

|Number |Issue | | |

|1.00 |2/10/04 |D. Aragon |Initial Version |

|1.01 |5/12/04 |D. Aragon |Added section on user profiles. |

|1.02 |5/21/04 |D. Aragon |Added Document Control Table and Table of Contents. |

|1.03 |7/26/04 |D. Aragon |Added security warning and corrected several typo’s. |

|1.04 |3/15/07 |D. Aragon |Updated guide to reflect procedures for Windows Server 2003 Active |

| | | |Directory FFL. |

| | | | |

| | | | |

| | | | |

| | | | |

| | | | |

Table of Contents

Introduction 1

Prerequisites 1

In this Step-by-Step Guide 1

Using the Active Directory Users and Computers Snap-in tool 2

Recognizing Active Directory Objects 3

Adding an Organizational Unit 5

Creating a Computer Object 6

Adding a Computer to the Domain 9

Managing Computer Objects 10

Managing a Remote Computer 10

Creating a Group 13

Adding a User to a Group 13

Nested Groups 15

Creating Nested Groups 16

Finding Specific Objects 17

Filtering a List of Objects 18

Writing a Group Policy Object 19

Create a Group Policy Object 20

Edit a Group Policy Object 21

Use an ADM file to create a GPO 22

Publishing a Shared Folder 23

To publish the shared folder in the directory 23

To browse the directory 24

Publishing a Printer 25

Windows 2000 Printers 25

To add a new printer 25

To locate a printer 26

Adding Non-Windows 2000 Printers 26

To use the Active Directory Users and Computers snap-in to publish printers 27

Folder Redirection 28

Let the system create folders for each user 28

Use offline folder settings on the server share where the user's info is stored 29

Policy removal considerations 30

[pic]Offline Folders Tips and Tricks 30

User profiles overview 30

Advantages of using user profiles 31

User profile types 31

Contents of a user profile 32

NTuser.dat file 33

All Users folder 33

To copy a user profile 33

To create a preconfigured user profile 35

User Profiles and Roaming User Profiles Tips and Tricks 36

Attachments: 39

Creating a Local User Account 39

To create a new local user account 39

Introduction

ITR in conjunction with TSAG Members have been tasked with implementation of the policies and management of the top level (root) organizational unit (OU) along with implementing TSAG approved changes to the schema and top level (root) Group Policy Object (GPO). As local autonomy of the individual colleges and organizations represented at the first level OU is desired, local administration of these OU’s will fall on TSAG members or their appointed representatives. This guide is provided to TSAG Members as an introduction to the administration of the Active Directory service and the Active Directory Users and Computers snap-in. This snap-in allows you to add, move, delete, and alter the properties for objects such as users, contacts, groups, servers, printers, and shared folders. It is available for download as part of the Active Directory administrative tools from the Active Directory web site (). The Active Directory administrative tools can only be used from a computer with access to a domain.

Prerequisites

This document is based on the following documents and web pages:

Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server Deployment,

Part One: ,

Part Two: , and

.

This document assumes you are familiar with Windows 2003 or Windows XP and that you have Administrative authority for your OU (i.e. you have an “a under-bar” account).

In this Step-by-Step Guide

Common Administrative Tasks

• Adding an Organizational Unit

• Creating a Computer Object

• Adding a Computer to the Domain

• Creating Groups and Adding Members to Groups

• Creating or Editing a Group Policy Object

Advanced Administrative Tasks

• Publishing shared network resources, such as shared folders and printers

• Renaming, Moving, and Deleting Objects

• Creating Nested Groups

• Using Filters and Searches to retrieve objects

• Folder Redirection

Additional Useful Information

• Policy Removal Considerations

• Offline Folder Tips and Tricks

• User Profile Overview

• User Profiles and Roaming User Profiles Tips and Tricks

Attachments

• Creating a User Account

• Group Policy Object Settings Explanation

• Root Group Policy Object settings

• Blank Group Policy Object Worksheet

Using the Active Directory Users and Computers Snap-in tool

|Note: |For security reasons direct access to the Domain Controllers is prohibited. Maintenance of objects can only be |

| |performed through use of the Users and Computers Snap-in. |

|Note: |If you have not done so already, install the Administrative Package found on the Active Directory Administration Web |

| |Site (csun.edu/tsag/activedirectory). Download and install the correct administrative package for your operating |

| |system (admin2k.exe for Windows 2000 or adminxp.exe for Windows XP or Windows Server 2003). This will install the |

| |proper snap-in referenced in this section. |

1. To start the Active Directory Users and Computers snap-in, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Expand csun.edu by clicking the +.

3. Figure 1 below displays the key components of the Active Directory Users and Computers snap-in for csun.edu.

[pic]

Figure 1 The Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active Directory.

|Icon |Folder |Description |

|[pic] |Domain |The root node of the snap-in represents the domain being administered. |

|[pic] |Default Computers |Contains all Windows NT, Windows 2000, Windows XP, and Windows Server |

| | |2003–based computers that join our domain incorrectly. This includes |

| | |computers running Windows NT versions 3.51 and 4.0. If you upgrade from a |

| | |previous version, Active Directory migrates the machine account to this |

| | |folder. Computers in this folder will display a message to the user at |

| | |logon, warning them the computer is in the wrong location, and to notify |

| | |their IT Tech to move it. You must get an Active Directory Enterprise |

| | |Administrator to move these objects. |

|[pic] |System |Contains Active Directory systems and services information. |

|[pic] |Auth/People |Contains all the users in the domain. Like computers, the user objects can |

| | |be moved, however, this will cause them to become out of sync with the |

| | |enterprise and therefore moving a user object is not allowed. |

|[pic] |Users |Contains all the user types in the domain. |

You can use Active Directory to create the following objects.

|Icon |Object |Description |

|[pic] |User |A user object is an object that is a security principal in the |

| | |directory. A user can log on to the network with these credentials and |

| | |access permissions can be granted to users. |

|[pic] |Contact |A contact object is an account that does not have any security |

| | |permissions. You cannot log on to the network as a contact. Contacts |

| | |are typically used to represent external users for the purpose of |

| | |e-mail. |

|[pic] |Computer |An object that represents a computer on the network. For Windows |

| | |NT-based workstations and servers, this is the machine account. |

|[pic] |Organizational Unit |Organizational units are used as containers to logically organize |

| | |directory objects such as users, groups, and computers in much the same |

| | |way that folders are used to organize files on your hard disk. |

|[pic] |Group |Groups can have users, computers, and other groups. Groups simplify the|

| | |management of large numbers of objects. |

|[pic] |Shared Folder |A shared Folder is a network share that has been published in the |

| | |directory. |

|[pic] |Shared printer |A shared printer is a network printer that has been published in the |

| | |directory |

Adding an Organizational Unit

This procedure creates an organizational unit (OU) in the CSUN domain.

|Note: |You can create nested organizational units and there is no limit to the nesting levels, though Microsoft suggests that |

| |nesting more than five levels deep might slow the logon process. |

These steps follow the Active Directory structure begun in the "Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment" . For your own organization, add the OU’s under your organizational OU contained within the csun.edu active directory forest.

|Note: |You are not allowed to add a first level OU. Unauthorized first level OU’s will be deleted without warning. |

1. Click the + next to your OU to expand it.

2. Right-click the location you wish to insert the new OU under.

3. Point to New and click Organizational Unit. Type the name of your new organizational unit. Click OK.

4. Repeat steps 2 and 3 above to create additional organizational units, as needed

For example, the screen shot in figure 2 shows

Organizational unit ITR under csun.edu.

Organizational unit Network Engineering & Operations under the ITR organizational unit.

Organizational unit Computers and Groups Network Administration and Operations under the Network Engineering & Operations organizational unit. (To do this, right-click Network Engineering & Operations, point to New, and then click Organizational Unit.)

Click Network Engineering & Operations so that its contents will display in the right pane.

When you are finished, you should have a hierarchy similar to Figure 2 below:

[pic]

Figure 2 New OUs

Creating a Computer Object

A computer object is created automatically when a computer joins a domain; however, this places the computer object in the (first level) OU = Default Computers. Additionally, a warning is displayed on the computer that pops up whenever someone logs into the machine stating the system is in the wrong location and to contact his or her local IT Tech staff or UHD to have it moved. To get it out of this OU and into your OU requires an Active Directory Enterprise Administrator to move it for you. A better method is for you to create the computer object before the computer joins a domain so it will join in the correct OU.

|Note: |There is no unified object naming conventions employed at CSUN, however, object naming should be standardized within |

| |your OU to enable the rapid and correct identification of each object within your organization. |

|Note: |Each object name must be unique within the entire Active Directory. |

|Note: |To view the name of the computer you plan to add to Active Directory. |

| |To view the computers name in Windows 2000 |

| |Right click on My Computer |

| |Click on Properties |

| |In panel on the left side, click the Network Identification link |

| |Computer Name is shown as Full Computer Name (use portion preceding the .csun.edu if it is present). |

| |For example if the full computer name is daxps.csun.edu, the computer name you will want to enter is daxps. |

| |To view the computers name in Windows XP |

| |Right Click on My Computer |

| |Click on Properties |

| |Click on Computer Name Tab |

| |Computer Name is shown as Full Computer Name (use portion preceding the .csun.edu if it is present). |

| |For example if the full computer name is daxps.csun.edu, the computer name you will want to enter is daxps.. |

[pic]

Figure 3 Computer Name

Using the previous structure as an example, if we wanted to add a computer named GDUHON to the Computers OU under the Network Engineering & Operations OU we would complete the following tasks:

|Note: |Naming a computer with the name of the primary user may present an unnecessary security risk by alerting those who may |

| |be snooping on the network of the identity of the user of a particular machine, thereby making a particular machine a |

| |target of a directed attack. From a security stand point, it would be better to name the computers in your OU |

| |something less identifying. |

1. Right-click the Computers organizational unit under the Network Engineering & Operations OU, point to New, and then click Computer.

2. Type in the computer name: GDUHON.

3. You can manage this computer in the Active Directory Users and Computers snap-in, by right clicking the computer object, and then clicking Manage.

4. Optionally, you can select which users are permitted to join a computer to the domain. This allows the administrator to create the computer account and someone with lesser permissions to install the computer and join it to the domain.

5. Once created, you should right click the object, select the Security tab. Insure that your a_account is not present, if it is then remove it. Also insure your Administrative group is listed. If it isn’t, then add it. Not doing this could restrict your administrative control of this object.

|Note: |If you cannot see the Security tab, from the top line menu select View and select Advanced Features. |

[pic]

Figure 4 Adding a New Computer

Adding a Computer to the Domain

After creating a computer object but prior to first use, a computer must be physically joined to the Domain. This process insures that the appropriate policies are applied. The first step in this process is to ensure that the local computers clock is synchronized with the network.

|Note: |It is important to create the computer object in active directory prior to joining the computer to the domain. If |

| |there is no object in active directory for the computer to join to, an object will be automatically created and placed |

| |in OU = computers. You must then contact one of the e_account holders or a member of ITR-Admin group to move it to its|

| |correct location. |

1. Open up a command window (Select Start, select Run and type cmd in the text box)

2. At the prompt, type: net time /setsntp:ntp.csun.edu

3. You should get a response that states: The command completed successfully.

4. Type: net stop w32time

5. You should get a response that states: The Windows Time service was stopped successfully.

6. Type: net start w32time

7. You should get a response that states: The Windows Time service was started successfully.

8. Close the command window.

Now join the computer to the network

9. Right click My Computer and select Properties

10. In Windows 2000 select Network Identification followed by Properties, in Windows XP select Computer Name followed by Change.

11. Select Member of Domain and enter csun.edu or just csun.

12. You will be prompted to enter your username and password, use your a_account name and password to authenticate your authority to perform this action.

13. If successful you will receive a notice welcoming you to the domain and informing you to reboot the system.

14. Reboot the system.

15. Users may now logon to the csun domain

Managing Computer Objects

Computer objects in Active Directory can be managed directly from the Active Directory Users and Computers snap-in. Computer Management is a component you can use to view and control many aspects of the computer configuration. Computer Management combines several administration utilities into a single console tree, providing easy access to a local or remote computer's administrative properties and tools.

|Note: |The following example assumes that you are working from a system and with an account that has management privileges on |

| |the system being managed and that the system being managed is currently running. |

Managing a Remote Computer

To manage a remote computer

1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu.

2. Select the appropriate OU and expand it by clicking the +. Repeat this process until you get down to the level of the computer you wish to remotely manage. 

3. Right-click the computer object and then click Manage.

4. If you are authorized to do so, a management window will open as shown in Figure 5. If the system can not be remotely managed a warning will be issues (figure 6) and a management window will open as shown in Figure 7. If you are not authorized a management window will open as shown in Figure 8. .

[pic]

Figure 5 Remotely Managing a Computer

[pic]

Figure 6 Remote Computer not Found Warning

[pic]

Figure 7 Remote Computer not Found

[pic]

Figure 8 Remote Computer Management not Authorized

Creating a Group

A group is a container for people who have something in common and that need to be managed in a similar fashion. A few examples of the members that might be used to form a group could include students in a specific class are the only ones authorized to utilize the resources of a particular computer lab or the administrative staff. However, a group could just as easily be those people with birthdays in August.

For example, to create a group called Comp100Users in the ECS OU:

1. Right-click the ECS OU, click New, and then click Group.

2. In the Name of New Group text box, type: Comp100Users

3. Select the appropriate Group type and Group scope and then click OK.

• The Group type indicates whether the group can be used to assign permissions to other network resources, such as files and printers.

• The Group scope determines the visibility of the group and what type of objects can be contained within the group.

|Scope |Visibility |May contain |

|Domain Local |Domain |Users, Domain Local, Global, or Universal Groups |

|Global |Forest |Users or Global groups |

|Universal |Forest |Users, Global, or Universal Groups |

Adding a User to a Group

For example, to add users to the Comp 100 group created above:

1. Click ECS in the left pane.

2. Right-click the Comp100Users group in the right pane, and click Properties.

3. Click the Members Tab and click Add.

4. Enter their user identification (UID). If adding multiple users separate them with a semi-colon (;). When finished adding names click on the Check Names button as in Figure 9 below, this will check the entered names against the list of current users. Any discrepancies will be identified and you will be asked to correct or remove the UID from the list (Figure 10).

5. If you do not know the UID click on the Advanced button and follow instructions in the section called Finding Specific Objects below.

[pic]

Figure 9 Add User to the Comp100Users Group

[pic]

Figure 10 User not Found

Nested Groups

Nested groups allow you to provide college-wide or department-wide access to resources with minimum maintenance. Placing every user account into a single college-wide resource group is not an effective solution because it requires the creation and maintenance of a large number of membership links. To use nested groups, administrators create a series of account groups that represent the managerial divisions of the college or unit.

For example, the top account group might be called "ECS Users," and would be attached to a resource group that gives access to resources and shared directories. The next level might contain account groups that represent major divisions of the college for example CEAM, ME, CS, ECE, and MSEM. Each group at this level is a member of ECS Users, and is attached to a resource group giving access to shares and other resources appropriate to the division it represents.

Within a division, the next level of account groups might represent departments. Shared resources for the department might include project schedules, meeting schedules, vacation schedules, or any network information appropriate to the whole department. The department account groups are all members of the division account group.

Within a department, the management structure can be organized into security groups to any required level of specificity. These might be team account groups and might represent leaf nodes in the organization’s hierarchical tree.

With this group hierarchy in place, you can give a new employee or student assistant instant access to the resources of the team, department, the division, and the college as a whole by placing the user in a team account group. This system supports the principle of least access because the new employee or student assistant cannot view the resources of adjacent teams, other departments, or other divisions.

Creating Nested Groups

To create a nested group

1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu.

2. Select the appropriate OU (ECS in our example) and expand it by clicking the +. Repeat this process until you get down to the level where you wish to create a group(ex. OU=Groups,OU=CECS,OU=ECS,DE=CSUN,DC=EDU).

3. Create a new group by right-clicking Groups, pointing to New, and then clicking Group. Type ECS Users, and then click OK.

4. Right-click the ECS Users Group, and then click Properties.

5. Click the Members tab, and then click Add.

6. In the Enter the objects name to select box, type CECS, and then click OK.

7. Click OK again. A nested group has been created.

8. Repeat steps 3 through 7 if additional nesting is required.

Finding Specific Objects

In a large directory deployment like ours, it may be unreasonable to browse a comprehensive list of objects in search of a unique object (we have over 400,000 objects in our Active Directory). Often, it is more efficient to find specific objects that meet a certain criteria. In the following example, you will find all users who have a first name starting with “Zeph” in the CSUN domain.

To find users with a first name starting with Zeph

1. Click to select csun.edu. Right-click csun.edu, and then click Find.

2. Enter the letters zeph and press the Find Now button.

[pic]

Figure 11.  Employing Simple Directory Search Techniques

|Note: |The same procedure is also valid for last names or UID’s. Additionally changing the Find dropdown will allow you to |

| |search for a number of other object types including computers, printers, shared folders, OU’s using the same general |

| |procedure. |

3. If what you are searching for isn’t in any of the lists above you need to do an advanced search. Click the Advanced tab. In the Field drop-down list, select Group, and then click Name.

4. Type Comp for Value, and then click Add. Click Find Now. Your results should be similar to those shown in Figure 12

[pic]

Figure 12.  Employing Advanced Directory Search Techniques

5. Select the one or more user objects you were looking for, double click to open the objects.

6. Close the Find User, Contacts, and Groups window.

Filtering a List of Objects

Filtering the list of returned objects from the directory can allow you to manage the directory more efficiently. The filtering option allows you to restrict the types of objects returned to the snap-in. For example, you can choose to view only users and groups, or you may want to create a more complex filter. If an OU has more than a specified number of objects, the Filter function allows you to restrict the number of objects displayed in the results pane. You can use the Filter function to configure this option.

To create a filter designed to display Groups only

1. In the Active Directory Users and Computers snap-in, click the + next to csun.edu.

2. Select the appropriate OU (COBAE in our example) and expand it by clicking the +. You should see a mixture of OU’s, computers and groups.

3. Click the View menu, and then click Filter Options.

4. Click the radio button for Show only the following types of objects, select Groups, and then click OK.

5. Reselect the appropriate OU (COBAE in our example) and expand it by clicking the +. Verify the filtering results. You should now only see a mixture of OU’s and groups.

6. Remove the filter.

Writing a Group Policy Object

Writing a Group Policy Object (GPO) can be a daunting and formidable task. The purpose of the GPO is to provide a mechanism to limit the behavior of a system or the user currently using that system. To make the task easier, the GPO is divided into logical sections. Below the root node, the namespace is divided into two parent nodes: Computer Configuration and User Configuration. These are the parent folders that you use to configure Group Policy settings. Computer-related Group Policy is applied when the operating system boots and during the periodic refresh cycle, while User-related Group Policy settings are applied when users log on to the computer and during the periodic refresh cycle.

Three nodes exist under the Computer Configuration and User Configuration parent nodes: Software Settings, Windows Settings, and Administrative Templates. The Software Settings and Windows Settings nodes contain extension snap-ins that extends either or both of the Computer Configuration or User Configuration nodes. Most of the extension snap-ins extends both of these nodes, but frequently with different options. The Administrative Templates node namespace contains all policy settings pertaining to the registry.

Several documents are attached to help in deciding which settings are appropriate and which are necessary.

• GPO Settings Explanations – This document goes through each setting and gives a brief explanation of what it does

• Root (overridable and non-overrideable) GPO Settings – A listing of the settings that have been implemented at the root. Some of these settings are overridable and describe best practice, while others are not overrideable, describing policy. In both cases the settings apply to all systems and users in Active Directory.

|Note: |To increase the security of the Active Directory Forest, the only users granted accesses to objects in the Active |

| |Directory from the root are members of the Enterprise and Local Administrative group. The permission to login to a |

| |system will need to be allocated to the user via permissions given from a GPO placed within the local administrators |

| |OU.  The so-called “account/account” will also be blocked, unless granted access privilege. |

|Note: |The no override setting on user settings is reserved for the root level GPO. It should not be used by any local |

| |administrator on settings designed for user behavior modification, as this setting will cause the User GPO settings to |

| |be propagated throughout the entire forest. |

|Note: |A GPO has been developed to automatically map a network drive to the U-drive share for a user as they log on to the |

| |system. This GPO is disabled for all users. If a local administrator wished to enable it, please forward a request to|

| |an Enterprise Administrator identifying the OU and the name of the Group to enable. |

• Blank GPO Worksheet – a worksheet that can be used to document the settings you use in the GPO(s) developed for your OU.

Create a Group Policy Object

Because of the unique structure employed at CSUN for the Active Directory forest, local administrators must develop two separate GPO’s. The first GPO would be for computer settings and the second GPO for user settings. As local administration of OU’s is desired, the computer GPO will be placed on the OU containing the computers and the group(s) by local administrator. The user GPO (if necessary) will have to be submitted to an Enterprise Administrator to be placed in the OU=Auth or at the root of the tree.

|Note: |While the Computer GPO’s can be set as not overrideable (though this practice is not recommended), the User GPO’s must |

| |be overrideable and must have the Authenticated User security settings for both read and apply disabled and the group |

| |the GPO applies to added with the read and apply GPO enabled. |

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Select location of GPO.

|Note: |This may require you to click the + next to your OU to expand it. |

3. Right click the selected location and click on Properties.

4. Select the Group Policy Tab

5. Click New. A new GPO is created.

6. Enter the name of the new GPO and press enter.

|Note: |There is currently no universal naming convention at CSUN for GPO’s, however, as all GPO’s are stored in a single |

| |folder GPO names must start with the name of the first level OU responsible for it. For example all GPO’s for ITR will|

| |start with “ITR-“, also if a User GPO is being developed for use in conjunction with a Computer GPO they both should |

| |have the same name with a “–u” or “–c” appended to the end of the name. |

7. Select the newly created GPO and click on Edit.

8. Using a previously completed Blank GPO Worksheet as a guide, fill in the appropriate settings.

9. When you are finished, exit the GPO and check the security settings of the GPO to insure that they are correct, then click OK.

The new GPO will be applied to all systems from that OU and below either the next time a user logs into a system in that OU or at the next system wide update (within 90 minutes).

|Note: |You should note that the number of User GPO’s that are applied to a user affect the logon processing time and the |

| |number of Computer GPO’s applied affects the boot time. This time can be reduced by disabling the unused half of the |

| |GPO. To do this, right-click the GPO, click Properties, click either Disable Computer Configuration settings or |

| |Disable User Configuration settings, and then click OK. These options are available on the GPO Properties page, on the|

| |General tab. |

Edit a Group Policy Object

Occasionally, a policy will need to be updated or changed. To do this:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Select location of GPO.

|Note: |This may require you to click the + next to your OU to expand it. |

|Note: |If a previously implemented User GPO needs editing, it must be done by an Enterprise Administrator. |

3. Right click the selected location and click on Properties.

4. Select the Group Policy Tab

5. Select the GPO that needs changing and click on Edit.

6. Expand the appropriate section(s).

7. Find the setting that needs updating and double click it.

8. Make the appropriate corrections and press enter.

|Note: |Changing a setting from either Enabled or Disabled to “Not Defined” will not delete the local setting. Once defined, |

| |the best way to change a setting is to select the opposite setting from the original (Enabled changes to Disabled and |

| |vice versa). |

9. When you are finished exit the GPO editor, changes will be saved automatically. The new GPO will be applied to all systems from that OU and below either the next time a user logs on to a system in that OU or at the next system wide update (within 90 minutes).

Use an ADM file to create a GPO

It is possible to implement Registry-Based Group Policies. These policies allow the local administrator to define and implement registry settings that further control the state of the computers and users via a GPO. While explaining how to write an .adm file is beyond the scope of this document, a good reference of how to write an .adm file can be found at regappgp.asp

|Note: |Two .adm files are provided for use or as examples. The first sets the local computer up to point to the Software |

| |Update Service (SUS) server. This SUS server can either be local to the OU or the one provided and maintained by the |

| |ITR. The purpose of the SUS server is to reduce bandwidth usage and provide local systems with an unassisted ability |

| |to receive and install critical updates automatically at a given time and on a given day. The second .adm file |

| |provides the local administrator the ability to limit the user’s ability to do specific things. This .adm file is |

| |useful in a computer laboratory setting where limits need to be in place. |

Once an .adm file is created it needs to be integrated into a GPO (both for testing and for implementation). The integration is accomplished as follows (assuming the GPO exists):

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Select location of GPO.

|Note: |This may require you to click the + next to your OU to expand it. |

3. Right click the selected location and click on Properties.

4. Select the Group Policy Tab

5. Select the GPO that needs changing and click on Edit.

6. Under either Computer Settings OR User Settings, right click on Administrative Templates.

7. On the context menu that appears, click on Add/Remove Templates.

8. A new dialog box will appear that will allow you to add or remove .adm templates. Click on Add.

9. Enter the name of the filename of the .adm file that you would like to add.

10. Click on Open.

11. If your .adm file was successfully loaded, you will be returned to the dialog that you saw in Step 8. In this case click on Close. Your policy template has been added successfully. Skip all the steps below.

12. If your .adm file was not successfully loaded, you will be presented with a dialog displaying the errors that occurred during the loading of .adm.

13. At this point, make a note of the errors that were found. Click on OK.

14. You will be returned to the dialog that you saw during Step 8. Although your .adm file was not successfully loaded, it will still appear in the list of .adm files loaded.

15. Select your .adm file, and click on Remove.

16. Click on Close.

17. You are now back to the Group Policy snap-in. At this point, edit your .adm file and correct any problems. Then repeat this process again starting from Step 6, to try to load your .adm template again.

Publishing a Shared Folder

Any shared network folder, including a Distributed File System (DFS) folder, can be published in Active Directory. Creating a Shared folder object in the directory does not automatically share the folder. This is a two-step process: you must first share the folder, and then publish it in Active Directory. To share a folder called Engineering Specs and share it from the ITR\Network Engineering & Operations OU:

1. Use Windows Explorer to create a new folder called Engineering Specs on one of your disk volumes.

2. In Windows Explorer, right-click the folder name, and then click Properties. Click Sharing, and then click Share this folder.

3. In the New Object–Shared Folder dialog box, type ES in the Share name box and click OK. By default, Everyone has permissions to this shared folder. If you want, you can change the default by clicking the Permissions button.

4. Populate the folder with files, such as documents, spreadsheets, or presentations.

To publish the shared folder in the directory

1. In the Active Directory Users and Computers snap-in, right-click the ITR\Network Engineering & Operations OU, point to New, and click Shared Folder.

2. In the Name box, type Engineering Specs.

3. In the Network Path name box, type the IP address of the system where the folder resides, for example: \\130.166.250.255\ES or \\daxps.csun.edu\ES and click OK.

4. The ITR\Network Engineering & Operations organizational unit appears as shown in Figure 13 below:

5. Users can now see this volume while browsing in the directory.

[pic]

Figure 13 Network Engineering & Operations OU contents showing a shared folder

To browse the directory

1. Double-click My Network Places on the desktop.

2. Double-click Entire Network, and then click Entire contents of the network.

3. Double-click the Directory.

4. Double-click the domain name, csun, and then double-click the name of the OU (e.g. ITR\Network Engineering & Operations. To view the files in the volume, either right-click the Engineering Specs volume, and click Open, or double-click Engineering Specs).

Publishing a Printer

This section describes the processes for publishing printers in a Windows 2000 Active Directory-based network.

Windows 2000 Printers

You can publish a printer shared by a computer running Windows 2000 by using the Sharing tab of the printer Properties dialog box. By default, Listed in the directory is enabled. The directory is the Active Directory data store. (This means that Windows 2000 Server publishes the shared printer by default.) The print subsystem will automatically propagate changes made to the printer attributes (location, description, loaded paper, and so forth) to the directory.

|Note: |For this section of this guide, you must have a printer available and know its IP address. If you do not have an IP |

| |printer, you can still run through these procedures, substituting the correct port for Standard TCP/IP Port. |

To add a new printer

1. Click Start, point to Settings, click Printers, and then double-click Add Printer. The Add Printer Wizard appears. Click Next.

2. Click Local Printer, clear the Automatically detect and install my Plug and Play printer checkbox, and click Next.

3. Click the Create a new port option, then scroll to Standard TCP/IP Port, and click Next.

4. The Add Standard TCP/IP Printer Port Wizard appears. Click Next.

5. On the Add Port page, type the IP address of the printer in the Printer Name or IP Address box, type the port name in the Port name box, and click Next. Click Finish.

6. Select your printer's manufacturer and model in the Printers list box, and then click Next.

7. In the Printer name text box, type the name of your printer.

8. On the Printer Sharing page, type a name for the shared printer. Choose a name no more than eight characters long so computers running earlier versions of the operating system display it correctly.

9. Type in the Location and Comment in those text boxes.

10. Print a test page. Click Finish.

After you create the printer, the printer is automatically published in Active Directory and the Listed in the Directory check box is selected.

You might also need to find the server from which a printer is shared out before adding it to the machine you are working on.

To locate a printer

1. Click Start, point to Settings, and then click on Printers.

2. Double-click the Add Printer icon.

3. In the Add Printer Wizard dialog box, click the Next button.

4. Select the Network printer button, and then click Next.

5. Select the Find a printer in the Directory button, and then click Next.

6. The Find Printers dialog box displays. If you know which domain your printer resides in, click the Browse button and choose that domain to narrow your search. Then, on the Printer tab, add the printer Name, Location, or Model to those text boxes, and click the Find Now button.

|Note: |If you do not know the name, location, or model of the printer, you can simply click the Find Now button, and all the |

| |printers in the domain you selected will be listed in the list box. |

Adding Non-Windows 2000 Printers

You can publish printers shared by operating systems other than Windows 2000 in the directory. The simplest way to do this is to use the pubprn script. This script will publish all the shared printers on a given server. It is located in the \winnt\system32 directory.

To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs script

1. Click Start, click Run, and type cmd in the text box. Click OK.

2. Type cd\ winnt/system32 and press Enter.

3. Type cscript pubprn.vbs printer server name where in this example "LDAP://ou=ecs,dc=csun,dc=edu" and press Enter. This publishes the printer to the specified OU.

This script copies only the following subset of the printer attributes:

Location

Model

Comment

UNCPath

You can add other attributes by using the Active Directory Users and Computers snap-in.

|Note: |You can rerun pubprn and it will update rather than overwrite existing printers. |

Alternatively, you can use the Active Directory Users and Computers snap-in to publish printers on non-Windows 2000 servers.

To use the Active Directory Users and Computers snap-in to publish printers

Right-click the Marketing organizational unit, click New, and click Printer.

The New Object-Printer dialog box pops up. In the text box, type the path to the printer, such as \\server\share name. Click OK.

End users can realize the benefit of printers being published in the directory because they can browse for printers, submit jobs to those printers, and install the printer drivers directly from the server.

To browse and use printers in the directory

On the Desktop, click Start, click Search, and click For Printers.

In the Find Printers dialog, select the subdirectory in which you would like to search for printers. Then type information into the Name, Location, or Model text boxes. Click the Find Now button to get a list of published printers.

Renaming, Moving, and Deleting Objects

Every object in the directory can be renamed and deleted, and most objects can be moved to different containers provided you have the appropriate authorizations and permissions.

To move an object, right-click the object, and then click Move.

Click Browse. The Directory Browser will appear, enabling you to select the destination container for the object that you are moving.

[pic]

Figure 14 List of available OUs

Folder Redirection

The Folder Redirection extension to Group Policy is used to redirect such user-specific folders as My Documents from the client to a server, facilitating administrative management of user data.

Let the system create folders for each user

To ensure that folder redirection works as well as possible, create the root share only on the server, and let the system create the folders for each user. For the best experience, set the share permissions to Full Control for the security groups you are redirecting, and set the NTFS permissions for Everyone to Full Control, this folder, subfolders and files. If you must create folders for the users, ensure that you have the correct permissions set. The tables below shows the default and minimum permissions required for folder redirection.

|User Account |Folder Redirection Defaults |Minimum permissions needed |

|Creator/owner |Full Control, this folder, subfolders |Full Control, this folder, subfolders and |

| |and files |files |

|Local Administrator |Full Control, this folder, subfolders |Full Control, this folder, subfolders and |

| |and files |files |

|Everyone |Full Control, this folder, subfolders |List Folder/Read data, Create Files/Write |

| |and files |Data, Create Folders/Append Data - This |

| | |Folder only |

|Local System |Full Control, this folder, subfolders |Full Control, this folder, subfolders and |

| |and files |files |

NTFS Permissions required for root folder

|User Account |Folder Redirection Defaults |Minimum permissions needed |

|Everyone |Full Control |Use security group that matches the users who|

| | |will need to put data on share |

Share level (SMB) Permissions required for root folder

|User Account |Folder Redirection Defaults |Minimum permissions needed |

|%username% |Full Control, owner of folder |Full Control, owner of folder |

|Local System |Full Control |Full Control |

|Everyone |Traverse Folder, Read Attributes, Read |Everyone - no permissions |

| |Extended Attributes and Read Permissions| |

NTFS Permissions required for each user's redirected folder

Use offline folder settings on the server share where the user's info is stored

This is especially important for users with laptops. Redirected folders of any type should be coupled with offline files. The recommended configuration for offline files to use is:

|• MyDocs: |Autocaching for Documents or Manual Caching for documents (if you want users to have |

| |to "pin" files) |

|• AppData: |Autocaching for Programs |

|• Desktop: |Autocaching for Programs if the desktop is read-only |

|• StartMenu: |Autocaching for Programs |

Incorporate %username% into fully qualified universal naming convention (UNC) paths. This allows the system to easily create folders for users based on their username.

o For example, \\server\share\%username%\My Documents

Have My Pictures follow My Documents

o This is advisable unless there is a compelling reason not to, such as file share scalability.

Policy removal considerations

Keep in mind the behavior your folder redirection policies will have upon policy removal. The Folder Redirection section of the online help gives details.

• Accept defaults. In general, accept the default folder redirection settings.

• Don't store roaming profiles on the same server as redirected folders that are enabled for offline use

• When a share is unavailable, offline folders considers the whole server to be unavailable until the offline cache is manually synchronized. Roaming profiles will not be synchronized with the server while offline folders considers the server to be unavailable.

• If you are using offline folders in conjunction with folder redirection and roaming user profiles, you should ensure that the folder redirection share and the profiles share are located on different servers.

[pic]Offline Folders Tips and Tricks

• Do not put the server share in a Distributed File System (DFS) tree

• Using offline folders located in a Distributed File System (Dfs) tree is not supported. If you do put shares configured for offline use in a Dfs tree, unexpected behavior, such as Access Denied errors, may occur when moving from an offline to online state.

• Not all types of files can be synchronized

• By default, .mdb and .pst files are not synchronized as they have other mechanisms of synchronizing.

• Don't store roaming profiles on the same server as redirected folders that are enabled for offline use

• See Folder Redirection Tips and Tricks for details.

• Leaving certain kinds of documents open can prevent entering standby mode.

• When using offline folders, the original versions of Microsoft Word 2000and Excel 2000 prevent the computer from going into standby mode when a document or spreadsheet is open. This is fixed in Office 2000 SR1.

User profiles overview

On computers running Windows 2000 and above operating systems, user profiles automatically create and maintain the desktop

Advantages of using user profiles

User profiles provide several advantages:

• More than one user can use the same computer. When users log on to their individual workstations, they receive the desktop settings as they existed when they logged off.

• Customization of the desktop environment made by one user does not affect another user's settings.

• User profiles can be stored on a server so that they can follow users to any computer running a Microsoft Windows NT or later operating system on the network. These are called roaming user profiles.

• As an administrative tool, user profiles provide these options:

• You can create a default user profile that is appropriate for the user's tasks.

• You can set up a mandatory user profile that does not save changes made by the user to the desktop settings. Users can modify the desktop settings of the computer while they are logged on, but none of these changes are saved when they log off. The mandatory profile settings are downloaded to the local computer each time the user logs on. For more information on mandatory profiles, see .

• You can specify the default user settings that will be included in all of the individual user profiles.

User profile types

A user profile defines customized desktop environments, which include individual display settings, network and printer connections, and other specified settings. You or your system administrator can define your desktop environment.

Types of user profiles include:

• Local user profile--A local user profile is created the first time you log on to a computer and is stored on a computer's local hard disk. Any changes made to your local user profile are specific to the computer on which you made the changes.

• Roaming user profile--A roaming user profile is created by the system administrator and is stored on a server. This profile is available every time you log on to any computer on the network. Changes made to your roaming user profile are updated on the server.

|Note: |CSUN Active Directory does not actively support the use of roaming profiles. References to roaming profiles are for |

| |informational purposes only |

• Mandatory user profile--A mandatory user profile is a roaming profile that can be used to specify particular settings for individuals or an entire group of users. Only system administrators can make changes to mandatory user profiles.

• Temporary user profile--A temporary profile is issued any time that an error condition prevents the users profile from being loaded. Temporary profiles are deleted at the end of each session. Changes made by the user to their desktop settings and files are lost when the user logs off.

Contents of a user profile

Every user profile begins as a copy of Default User, which is a default user profile stored on each computer running a Windows operating system. The NTuser.dat file within Default User contains Windows configuration settings. Every user profile also uses the common program groups contained in the All Users folder.

The user profile folders contain various items including the desktop and Start menu. The following table lists and describes the contents of each user profile folder.

|User profile folder |Contents |

|Application Data |Program-specific data (for example, a custom dictionary). Program vendors decide what data to store in |

| |this user profile folder. |

|Cookies |User information and preferences. |

|Desktop |Desktop items, including files, shortcuts, and folders. |

|Favorites |Shortcuts to favorite locations on the Internet. |

|Local Settings |Application data, history, and temporary files. Application data roams with the user by way of roaming |

| |user profiles. |

|My Documents |User documents and subfolders. |

|My Recent Documents |Shortcuts to the most recently used documents and accessed folders. |

|NetHood |Shortcuts to My Network Places items. |

|PrintHood |Shortcuts to printer folder items. |

|SendTo |Shortcuts to document-handling utilities. |

|Start Menu |Shortcuts to program items. |

|Templates |User template items. |

NTuser.dat file

The NTuser.dat file is the registry portion of the user profile. When a user logs off of the computer, the system unloads the user-specific section of the registry (that is, HKEY_CURRENT_USER) into NTuser.dat and updates it. For more information about the registry, see standard/proddocs/en-us/sag_ntregconcepts_mply.asp.

All Users folder

Although they are not copied to user profile folders, the settings in the All Users folder are used to create the individual user profiles. The Windows operating system supports two program group types:

• Common program groups are always available on a computer, no matter who is logged on.

• Personal program groups are private to the user who creates them.

Common program groups are stored in the All Users folder under the Documents and Settings folder. The All Users folder also contains per-computer settings for the Desktop and the Start menu.

|Note: |The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are the only folders displayed in Windows |

| |Explorer by default. The NetHood, PrintHood, Local Settings, Recent, and Templates folders are hidden and do not appear|

| |in Windows Explorer. To view these folders and their contents in Windows Explorer, on the Tools menu, point to Folder |

| |options, click the View tab, and then click Show hidden files and folders. |

| | |

|Note: |On computers running Windows operating systems with the NTFS file system, only members of the Administrators group can |

| |create, delete, or modify the common program groups. |

To copy a user profile

• Open System in Control Panel.

• On the Advanced tab, under User Profiles, click Settings.

• Under Profiles stored on this computer, click the user profile you want to copy, and then click Copy To.

• Do one or more of the following:

1. To specify where the new profile will be saved:

▪ In Copy profile to, type the location for the new profile, or click Browse to select the path.

2. To specify who is permitted to use the copied profile

▪ In Permitted to use, click Change.

• In the Select User or Group dialog box, in Enter the object name to select, add the user, group, or built-in security principle or click Object Types to select an object type.

• To specify a domain to search, in the Select User or Group dialog box, click Locations, and then select the domain.

• To further narrow your search, in the Select User or Group dialog box, click Advanced.

• Click OK

|Note: |To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have |

| |been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group |

| |might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. |

| | |

|Note: |To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System. |

| | |

|Note: |The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are the only folders displayed in Windows |

| |Explorer by default. The NetHood, PrintHood, Local Settings, Recent, and Templates folders are hidden and do not appear|

| |in Windows Explorer. To view these folders and their contents in Windows Explorer, on the Tools menu, point to Folder |

| |options, click the View tab, and then click Show hidden files and folders. |

| | |

|Note: |To open System from a command line as an administrator, type: |

| |runas /user:computername\Administrator "rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl" |

| | |

|Note: |You cannot copy or delete a user profile that belongs to the currently logged on user or any user whose profile is in |

| |use. |

| | |

|Note: |If you copy the profile to a new location, you must update the User Profile Path entry for the user's account to refer |

| |to this new location as well. |

| | |

|Note: |You cannot use Windows Explorer or any other file management utility to copy user profiles. |

To create a preconfigured user profile

1. Create a new user account that will be used as a template for the preconfigured user profile. For more information, see Create a new user account in the Step-by-Step Guide to Managing the Active Directory.

2. Log on as the new user, then customize the desktop and install applications to configure this user's profile for the user profile template.

3. Log off, and then log on as the administrator.

4. Open System in Control Panel.

5. On the Advanced tab, under User Profiles, click Settings.

6. Under Profiles stored on this computer, select the user that you created in step 1, and click Copy To.

▪ If you want a domain-wide default profile, enter the path to NETLOGON\Default User on the domain controller. This creates the default user profile for the domain.

▪ If you want to change the default profile for the local computer only, copy the profile to the systemroot\Documents and Settings\Default User folder.

7. In the Copy To dialog box, under Permitted to use, click Change.

8. In the Select User or Group dialog box, in Enter the object name to select, type Everyone. This sets the profile as the default for everyone in this domain.

|Caution: |If you are using a roaming profile and install a program on one computer while simultaneously logged on to another|

| |computer, you might overwrite crucial program-related registry settings stored in your roaming profile, thus |

| |preventing you from running those programs. |

| | |

| |For example: You are logged on to computer A and computer B. You install a program on computer B and then log off |

| |computer B. Computer B stores the shortcuts for the application, and the registry is saved to your roaming |

| |profile. Computer A does not get updated profile information until you log off and log on again. |

| | |

| |When you log off from computer A, however, the computer writes to the registry stored in the roaming profile |

| |(which now includes the Microsoft Windows Installer (MSI) registration for the program you installed on computer |

| |B) with the stale registry information from computer A. The program shortcuts remain in your roaming profile but |

| |the Windows Installer data stored in the registry settings is lost, preventing you from running the programs. |

| | |

| |You can repair your roaming profile by repairing or reinstalling the program on computer B or by installing the |

| |program on computer A. |

| | |

|Note: |To perform this procedure, you must be a member of the Administrators group on the local computer, or you must |

| |have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins|

| |group might be able to perform this procedure. As a security best practice, consider using Run as to perform this |

| |procedure. |

| | |

|Note: |To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System. |

| | |

| | |

| | |

|Note: |To open System from a command line as an administrator, type: |

| |runas /user:computername\Administrator "rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl" |

| | |

|Note: |You cannot copy or delete a user profile that belongs to the currently logged on user or any user whose profile is|

| |in use. |

| | |

|Note: |The first time a user logs on, a copy of the preconfigured user profile is returned from the server instead of a |

| |copy of the default profile on the local computer. Thereafter, the user profile functions the same as a standard |

| |roaming user profile does. Each time the user logs off, the user profile is saved locally and is also copied to |

| |the server. |

| | |

|Note: |The Windows operating system does not support the use of encrypted files within the roaming user profiles. |

| | |

|Note: |Roaming user profiles used with Terminal Services clients are not replicated to the server until the interactive |

| |user logs off and the interactive session is closed. |

User Profiles and Roaming User Profiles Tips and Tricks

Profiles are basic to the system and they were part of Windows NT 4.0. Generally, they work and are configured in Windows 2000 as they did in Windows NT 4.0. When the user object is enabled with roaming user profiles, it is considered part of IntelliMirror feature set.

If your users roam between Windows NT 4.0 clients and Windows 2000 clients, set the profile path during installation on Windows 2000

o For more info: Q224012 Using User Profiles with Both Windows 2000 and Windows NT 4.0

Redirect the location of My Documents folder outside of the user's roaming profile.

o The best way is with folder redirection. If you do not have Active Directory enabled, you can do this with a logon script or instruct the user to do so.

Do not use Encrypted File System (EFS) with roaming user profiles, offline folders, or File Replication Service (FRS).

o EFS is not compatible with roaming user profiles, offline folders, or FRS.

Don't set disk quotas too low for users with roaming profiles

o If a user's disk quotas are set too low, roaming profile synchronization may fail. Make sure enough disk space is allocated to allow the system to create a temporary duplicate copy of a user's profile. The temporary profile is created in the user's context as part of the synchronization process, so it debits his or her quota.

Do not use offline folders on roaming profile shares.

o Make sure that you turn off offline files for shares where roaming user profiles are stored. If you do not turn off offline folders for a user's profile, you may experience synchronization problems as both offline folders and roaming profiles try to synchronize the files in a user's profile.

|Note: |This does not affect using offline folders with redirected My Documents etc. |

Don't store roaming profiles on the same server as redirected folders that are enabled for offline use

o See Folder Redirection Tips and Tricks for details.

If roaming profiles are stored on a Windows NT 4.0 share, ensure that users are given "Full Control" share permissions.

o If you are using Windows 2000 Professional in a Windows NT 4.0 domain, and the server hosting the profile share is a Windows NT 4.0 computer, make sure that users are given Full Control share permissions. Not having the share permissions set to Full Control will result in profiles not synchronizing. The event log will contain errors such as :

|Event Type: |Error |

|Event Source: |Userenv |

|Event Category: |None |

|Event ID: |1000 |

|Description: |Windows cannot unload your registry file. If you have a roaming profile, your |

| |settings are not replicated. Contact your administrator. |

|Detail - |Access is denied. |

This problem occurs because Change permission does not allow WRITE_DAC access, so the system cannot copy ACL’s. Windows 2000 copies Roaming Profiles ACL’s, whereas Windows NT 4.0 does not.

Attachments:

Creating a Local User Account

The following procedure creates the user account James Smith in the /ITR/Network Engineering & Operations OU.

|Note: |This procedure is provided for informational purposes only. Active Directory is populated with a list authorized users|

| |(contained in OU = Auth/People). This list is a mirror of the list maintained at the Enterprise level. This procedure|

| |would be followed for a specialized user (e.g. if a local daemon requires a local logon, though this practice is |

| |strongly discouraged). Only Enterprise Administrators are authorized to create local accounts. If you need a local |

| |user account please contact the Enterprise Administrator. Local user accounts not created by an Enterprise |

| |Administrator will be deleted whenever found. |

To create a new local user account

1. Right-click the /ITR/Network Engineering & Operations organizational unit, point to New, and then click User, or click New User on the snap-in toolbar.

2. Type user information as in Figure 15 below:

[pic]

Figure 15 New User dialog

|Note: |The Full name is automatically filled in after you enter the First and Last names. |

3. Click Next to proceed.

4. Type a password in both the Password and Confirm password boxes and click Next.

5. Accept the confirmation in the next dialog box by clicking Finish.

You have now created an account for James Smith in the /ITR/Network Engineering & Operations OU. To add additional information about this user:

6. Select /ITR/Network Engineering & Operations in the left pane, right-click James Smith in the right pane, and then click Properties.

7. Add more information about the user in the Properties dialog box on the General tab as shown in Figure 13 below, and click OK. You are provided with this selection of optional entries. Click each tab you want to go to.

[pic]

Figure 16 Additional User Information

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download