RUP's

raiedraied Member Posts: 93 ■■■□□□□□□□
Hello all. Can someone help me with roaming user profiles? Can I have more than one RUP on a share? Or do you need a different share for each RUP? If I copy a profile up to a share (i.e //server1/shaer/ltop), how do I point to that porfile I copied up to the share?

Comments

  • Non-Profit TechieNon-Profit Techie Member Posts: 418 ■■□□□□□□□□
    what study guide are you using?
  • raiedraied Member Posts: 93 ■■■□□□□□□□
    I am using both Microsoft and Syngress books.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    The way it will work in the majority of environments:

    1. md C:\ profiles
    2. Share profiles directory and give Everyone Full
    3. Set all users to have full control to the profiles directory
    4. Create a template account in the OU of choice
    5. In the profile field for this user do \\server\profiles\%username% (When you apply it will actually change the name to the name of the template account. Don't worry, AD knows you used %username%. Therefore, when you create a new users you can just copy the template account to create the new account and it'll use the %username% and substitute the template user's name with the newly created username.
    6. When a user logs in, lets say Joe, it will automatically create a folder in the profiles directory where ONLY Joe can access it. You can configure Group Policy to allow administrators to access these user profiles. This of course depends on company policies regarding privacy.

    So taking a look back at step #6. Even though the profiles folder has full permission to pretty much everyone, when a user creates a profile, it does not inherit permission. It restricts access ONLY to that user who is creating the profile (by default) by logging in through AD.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • TregTreg Member Posts: 79 ■■□□□□□□□□
    You can configure Group Policy to allow administrators to access these user profiles. This of course depends on company policies regarding privacy.

    Probably a good idea to add anyway for troubleshooting etc.
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Just as an FYI, the setting I stated in #6 could be found in the following location:
    Computer Configuration > Administrative Templates > System > Logon

    And as another FYI, this setting does not exist anymore in Vista. Not sure if it was relocated to another location as I haven't bothered looking yet. IF you do enable this setting, one problem is it might not work due to asynchronous group policy application. Basically, that means that your system is booting up, windows tries to provide a user with the login box and starts the user login while computer configuration is still being applied. Because of this, the user might have logged in and created the profile before the computer configuration setting you modified (to add admins to the ACL) was fully applied. Therefore, you would have a roaming profile created with no Administrator access. If you really want to ensure administrators are added to the ACL, turn off asynchronous mode by setting the "Always wait for the network at computer startup and logon" which is in the same location.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
Sign In or Register to comment.