Professional Documents
Culture Documents
Step-by-Step Guide To Managing The Active Directory
Step-by-Step Guide To Managing The Active Directory
Step-by-Step Guide To Managing The Active Directory
Active Directory
Step-by-Step Guide to Managing the Active Directory
Version Date of
Author(s) Brief Description of Change(s)
Number Issue
1.00 2/10/04 D. Aragon Initial Version
1.01 5/12/04 D. Aragon Added section on user profiles.
Added Document Control Table and Table of
1.02 5/21/04 D. Aragon
Contents.
Added security warning and corrected sever-
1.03 7/26/04 D. Aragon
al typo’s.
Updated guide to reflect procedures for Win-
1.04 3/15/07 D. Aragon
dows Server 2003 Active Directory FFL.
ii
Step-by-Step Guide to Managing the Active Directory
Table of Contents
Introduction ......................................................................................................................... 1
Prerequisites ........................................................................................................................ 1
In this Step-by-Step Guide .................................................................................................. 1
Using the Active Directory Users and Computers Snap-in tool ......................................... 2
Recognizing Active Directory Objects ............................................................................... 3
Adding an Organizational Unit ........................................................................................... 5
Creating a Computer Object ............................................................................................... 6
Adding a Computer to the Domain ..................................................................................... 9
Managing Computer Objects ............................................................................................ 10
Managing a Remote Computer ......................................................................................... 10
Creating a Group ............................................................................................................... 13
Adding a User to a Group ................................................................................................. 13
Nested Groups ................................................................................................................... 15
Creating Nested Groups .................................................................................................... 16
Finding Specific Objects ................................................................................................... 17
Filtering a List of Objects ................................................................................................. 18
Writing a Group Policy Object ......................................................................................... 19
Create a Group Policy Object ........................................................................................... 20
Edit a Group Policy Object ............................................................................................... 21
Use an ADM file to create a GPO .................................................................................... 22
Publishing a Shared Folder ............................................................................................... 23
To publish the shared folder in the directory .................................................................... 23
To browse the directory .................................................................................................... 24
Publishing a Printer ........................................................................................................... 25
Windows 2000 Printers ..................................................................................................... 25
To add a new printer ......................................................................................................... 25
To locate a printer ............................................................................................................. 26
Adding Non-Windows 2000 Printers................................................................................ 26
To use the Active Directory Users and Computers snap-in to publish printers................ 27
Folder Redirection ............................................................................................................ 28
Let the system create folders for each user ....................................................................... 28
Use offline folder settings on the server share where the user's info is stored ................. 29
Policy removal considerations .......................................................................................... 30
Offline Folders Tips and Tricks ........................................................................................ 30
User profiles overview ...................................................................................................... 30
Advantages of using user profiles ..................................................................................... 31
User profile types .............................................................................................................. 31
Contents of a user profile .................................................................................................. 32
NTuser.dat file .................................................................................................................. 33
All Users folder ................................................................................................................. 33
To copy a user profile ....................................................................................................... 33
To create a preconfigured user profile .............................................................................. 35
User Profiles and Roaming User Profiles Tips and Tricks ............................................... 36
Attachments: ..................................................................................................................... 39
iii
Step-by-Step Guide to Managing the Active Directory
iv
Step-by-Step Guide to Managing the Active Directory
Introduction
ITR in conjunction with TSAG Members have been tasked with implementation of the
policies and management of the top level (root) organizational unit (OU) along with im-
plementing TSAG approved changes to the schema and top level (root) Group Policy Ob-
ject (GPO). As local autonomy of the individual colleges and organizations represented
at the first level OU is desired, local administration of these OU’s will fall on TSAG
members or their appointed representatives. This guide is provided to TSAG Members as
an introduction to the administration of the Active Directory service and the Active Di-
rectory Users and Computers snap-in. This snap-in allows you to add, move, delete, and
alter the properties for objects such as users, contacts, groups, servers, printers, and
shared folders. It is available for download as part of the Active Directory administrative
tools from the Active Directory web site (http://www.csun.edu/tsag/activedirectory). The
Active Directory administrative tools can only be used from a computer with access to a
domain.
Prerequisites
This document is based on the following documents and web pages:
Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server
Deployment,
Part One: http://www.microsoft.com/technet/win2000/depprof1.asp,
Part Two: http://www.microsoft.com/technet/win2000/depprof2.asp, and
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/howto/managad.asp.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/director
y/activedirectory/stepbystep/admng.mspx
This document assumes you are familiar with Windows 2003 or Windows XP and that
you have Administrative authority for your OU (i.e. you have an “a under-bar” account).
1
Step-by-Step Guide to Managing the Active Directory
Folder Redirection
Additional Useful Information
Policy Removal Considerations
Offline Folder Tips and Tricks
User Profile Overview
User Profiles and Roaming User Profiles Tips and Tricks
Attachments
Creating a User Account
Group Policy Object Settings Explanation
Root Group Policy Object settings
Blank Group Policy Object Worksheet
If you have not done so already, install the Administrative Package found on the
Active Directory Administration Web Site (www.csun.edu/tsag/activedirectory).
Download and install the correct administrative package for your operating sys-
Note:
tem (admin2k.exe for Windows 2000 or adminxp.exe for Windows XP or Win-
dows Server 2003). This will install the proper snap-in referenced in this sec-
tion.
1. To start the Active Directory Users and Computers snap-in, click Start, point to
Programs, point to Administrative Tools, and then click Active Directory Us-
ers and Computers.
2. Expand csun.edu by clicking the +.
3. Figure 1 below displays the key components of the Active Directory Users and
Computers snap-in for csun.edu.
2
Step-by-Step Guide to Managing the Active Directory
3
Step-by-Step Guide to Managing the Active Directory
4
Step-by-Step Guide to Managing the Active Directory
You can create nested organizational units and there is no limit to the nesting
Note: levels, though Microsoft suggests that nesting more than five levels deep might
slow the logon process.
These steps follow the Active Directory structure begun in the "Step-by-Step Guide to a
Common Infrastructure for Windows 2000 Server Deployment"
http://www.microsoft.com/technet/win2000/depprof1.asp. For your own organization,
add the OU’s under your organizational OU contained within the csun.edu active directo-
ry forest.
You are not allowed to add a first level OU. Unauthorized first level OU’s will
Note:
be deleted without warning.
When you are finished, you should have a hierarchy similar to Figure 2 below:
5
Step-by-Step Guide to Managing the Active Directory
6
Step-by-Step Guide to Managing the Active Directory
Note: Each object name must be unique within the entire Active Directory.
To view the name of the computer you plan to add to Active Directory.
a. To view the computers name in Windows 2000
i. Right click on My Computer
ii. Click on Properties
iii. In panel on the left side, click the Network Identification
link
iv. Computer Name is shown as Full Computer Name (use
portion preceding the .csun.edu if it is present).
v. For example if the full computer name is daxps.csun.edu,
Note:
the computer name you will want to enter is daxps.
b. To view the computers name in Windows XP
i. Right Click on My Computer
ii. Click on Properties
iii. Click on Computer Name Tab
iv. Computer Name is shown as Full Computer Name (use
portion preceding the .csun.edu if it is present).
v. For example if the full computer name is daxps.csun.edu,
the computer name you will want to enter is daxps..
7
Step-by-Step Guide to Managing the Active Directory
Naming a computer with the name of the primary user may present an unneces-
sary security risk by alerting those who may be snooping on the network of the
Note: identity of the user of a particular machine, thereby making a particular machine
a target of a directed attack. From a security stand point, it would be better to
name the computers in your OU something less identifying.
8
Step-by-Step Guide to Managing the Active Directory
4. Optionally, you can select which users are permitted to join a computer to the
domain. This allows the administrator to create the computer account and some-
one with lesser permissions to install the computer and join it to the domain.
5. Once created, you should right click the object, select the Security tab. Insure
that your a_account is not present, if it is then remove it. Also insure your Ad-
ministrative group is listed. If it isn’t, then add it. Not doing this could restrict
your administrative control of this object.
If you cannot see the Security tab, from the top line menu select View and select
Note:
Advanced Features.
9
Step-by-Step Guide to Managing the Active Directory
puters. You must then contact one of the e_account holders or a member of ITR-
Admin group to move it to its correct location.
1. Open up a command window (Select Start, select Run and type cmd in the text
box)
2. At the prompt, type: net time /setsntp:ntp.csun.edu
3. You should get a response that states: The command completed successfully.
4. Type: net stop w32time
5. You should get a response that states: The Windows Time service was stopped
successfully.
6. Type: net start w32time
7. You should get a response that states: The Windows Time service was started
successfully.
8. Close the command window.
The following example assumes that you are working from a system and with an
Note: account that has management privileges on the system being managed and that
the system being managed is currently running.
10
Step-by-Step Guide to Managing the Active Directory
1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU and expand it by clicking the +. Repeat this process
until you get down to the level of the computer you wish to remotely manage.
3. Right-click the computer object and then click Manage.
4. If you are authorized to do so, a management window will open as shown in Fig-
ure 5. If the system can not be remotely managed a warning will be issues (figure
6) and a management window will open as shown in Figure 7. If you are not au-
thorized a management window will open as shown in Figure 8. .
11
Step-by-Step Guide to Managing the Active Directory
12
Step-by-Step Guide to Managing the Active Directory
Creating a Group
A group is a container for people who have something in common and that need to be
managed in a similar fashion. A few examples of the members that might be used to
form a group could include students in a specific class are the only ones authorized to uti-
lize the resources of a particular computer lab or the administrative staff. However, a
group could just as easily be those people with birthdays in August.
For example, to create a group called Comp100Users in the ECS OU:
1. Right-click the ECS OU, click New, and then click Group.
2. In the Name of New Group text box, type: Comp100Users
3. Select the appropriate Group type and Group scope and then click OK.
The Group type indicates whether the group can be used to assign permis-
sions to other network resources, such as files and printers.
The Group scope determines the visibility of the group and what type of ob-
jects can be contained within the group.
13
Step-by-Step Guide to Managing the Active Directory
14
Step-by-Step Guide to Managing the Active Directory
Nested Groups
Nested groups allow you to provide college-wide or department-wide access to resources
with minimum maintenance. Placing every user account into a single college-wide re-
source group is not an effective solution because it requires the creation and maintenance
of a large number of membership links. To use nested groups, administrators create a se-
ries of account groups that represent the managerial divisions of the college or unit.
15
Step-by-Step Guide to Managing the Active Directory
For example, the top account group might be called "ECS Users," and would be attached
to a resource group that gives access to resources and shared directories. The next level
might contain account groups that represent major divisions of the college for example
CEAM, ME, CS, ECE, and MSEM. Each group at this level is a member of ECS Users,
and is attached to a resource group giving access to shares and other resources appropri-
ate to the division it represents.
Within a division, the next level of account groups might represent departments. Shared
resources for the department might include project schedules, meeting schedules, vaca-
tion schedules, or any network information appropriate to the whole department. The de-
partment account groups are all members of the division account group.
Within a department, the management structure can be organized into security groups to
any required level of specificity. These might be team account groups and might repre-
sent leaf nodes in the organization’s hierarchical tree.
With this group hierarchy in place, you can give a new employee or student assistant in-
stant access to the resources of the team, department, the division, and the college as a
whole by placing the user in a team account group. This system supports the principle of
least access because the new employee or student assistant cannot view the resources of
adjacent teams, other departments, or other divisions.
1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU (ECS in our example) and expand it by clicking the +.
Repeat this process until you get down to the level where you wish to create a
group(ex. OU=Groups,OU=CECS,OU=ECS,DE=CSUN,DC=EDU).
3. Create a new group by right-clicking Groups, pointing to New, and then clicking
Group. Type ECS Users, and then click OK.
4. Right-click the ECS Users Group, and then click Properties.
5. Click the Members tab, and then click Add.
6. In the Enter the objects name to select box, type CECS, and then click OK.
7. Click OK again. A nested group has been created.
8. Repeat steps 3 through 7 if additional nesting is required.
16
Step-by-Step Guide to Managing the Active Directory
The same procedure is also valid for last names or UID’s. Additionally changing
the Find dropdown will allow you to search for a number of other object types
Note:
including computers, printers, shared folders, OU’s using the same general pro-
cedure.
17
Step-by-Step Guide to Managing the Active Directory
3. If what you are searching for isn’t in any of the lists above you need to do an ad-
vanced search. Click the Advanced tab. In the Field drop-down list, select
Group, and then click Name.
4. Type Comp for Value, and then click Add. Click Find Now. Your results should
be similar to those shown in Figure 12
5. Select the one or more user objects you were looking for, double click to open the
objects.
6. Close the Find User, Contacts, and Groups window.
18
Step-by-Step Guide to Managing the Active Directory
objects, the Filter function allows you to restrict the number of objects displayed in the
results pane. You can use the Filter function to configure this option.
1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU (COBAE in our example) and expand it by clicking the
+. You should see a mixture of OU’s, computers and groups.
3. Click the View menu, and then click Filter Options.
4. Click the radio button for Show only the following types of objects, select
Groups, and then click OK.
5. Reselect the appropriate OU (COBAE in our example) and expand it by clicking
the +. Verify the filtering results. You should now only see a mixture of OU’s
and groups.
6. Remove the filter.
Three nodes exist under the Computer Configuration and User Configuration parent
nodes: Software Settings, Windows Settings, and Administrative Templates. The Soft-
ware Settings and Windows Settings nodes contain extension snap-ins that extends either
or both of the Computer Configuration or User Configuration nodes. Most of the exten-
sion snap-ins extends both of these nodes, but frequently with different options. The
Administrative Templates node namespace contains all policy settings pertaining to the
registry.
Several documents are attached to help in deciding which settings are appropriate and
which are necessary.
GPO Settings Explanations – This document goes through each setting and
gives a brief explanation of what it does
Root (overridable and non-overrideable) GPO Settings – A listing of the set-
tings that have been implemented at the root. Some of these settings are over-
ridable and describe best practice, while others are not overrideable, describ-
19
Step-by-Step Guide to Managing the Active Directory
ing policy. In both cases the settings apply to all systems and users in Active
Directory.
Note: To increase the security of the Active Directory Forest, the only users granted
accesses to objects in the Active Directory from the root are members of the En-
terprise and Local Administrative group. The permission to login to a system
will need to be allocated to the user via permissions given from a GPO placed
within the local administrators OU. The so-called “account/account” will also be
blocked, unless granted access privilege.
Note: The no override setting on user settings is reserved for the root level GPO. It
should not be used by any local administrator on settings designed for user be-
havior modification, as this setting will cause the User GPO settings to be propa-
gated throughout the entire forest.
Note: A GPO has been developed to automatically map a network drive to the U-drive
share for a user as they log on to the system. This GPO is disabled for all users.
If a local administrator wished to enable it, please forward a request to an Enter-
prise Administrator identifying the OU and the name of the Group to enable.
Blank GPO Worksheet – a worksheet that can be used to document the set-
tings you use in the GPO(s) developed for your OU.
Note: While the Computer GPO’s can be set as not overrideable (though this practice
is not recommended), the User GPO’s must be overrideable and must have the
Authenticated User security settings for both read and apply disabled and the
group the GPO applies to added with the read and apply GPO enabled.
1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.
Note: This may require you to click the + next to your OU to expand it.
20
Step-by-Step Guide to Managing the Active Directory
Note: There is currently no universal naming convention at CSUN for GPO’s, howev-
er, as all GPO’s are stored in a single folder GPO names must start with the
name of the first level OU responsible for it. For example all GPO’s for ITR
will start with “ITR-“, also if a User GPO is being developed for use in conjunc-
tion with a Computer GPO they both should have the same name with a “–u” or
“–c” appended to the end of the name.
Note: You should note that the number of User GPO’s that are applied to a user affect
the logon processing time and the number of Computer GPO’s applied affects
the boot time. This time can be reduced by disabling the unused half of the
GPO. To do this, right-click the GPO, click Properties, click either Disable
Computer Configuration settings or Disable User Configuration settings, and
then click OK. These options are available on the GPO Properties page, on the
General tab.
Note: This may require you to click the + next to your OU to expand it.
Note: If a previously implemented User GPO needs editing, it must be done by an En-
terprise Administrator.
21
Step-by-Step Guide to Managing the Active Directory
7. Find the setting that needs updating and double click it.
8. Make the appropriate corrections and press enter.
Note: Changing a setting from either Enabled or Disabled to “Not Defined” will not
delete the local setting. Once defined, the best way to change a setting is to se-
lect the opposite setting from the original (Enabled changes to Disabled and vice
versa).
9. When you are finished exit the GPO editor, changes will be saved automatically.
The new GPO will be applied to all systems from that OU and below either the
next time a user logs on to a system in that OU or at the next system wide update
(within 90 minutes).
Note: Two .adm files are provided for use or as examples. The first sets the local com-
puter up to point to the Software Update Service (SUS) server. This SUS server
can either be local to the OU or the one provided and maintained by the ITR.
The purpose of the SUS server is to reduce bandwidth usage and provide local
systems with an unassisted ability to receive and install critical updates automat-
ically at a given time and on a given day. The second .adm file provides the lo-
cal administrator the ability to limit the user’s ability to do specific things. This
.adm file is useful in a computer laboratory setting where limits need to be in
place.
Once an .adm file is created it needs to be integrated into a GPO (both for testing and for
implementation). The integration is accomplished as follows (assuming the GPO exists):
1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.
Note: This may require you to click the + next to your OU to expand it.
22
Step-by-Step Guide to Managing the Active Directory
23
Step-by-Step Guide to Managing the Active Directory
3. In the Network Path name box, type the IP address of the system where the fold-
er resides, for example: \\130.166.250.255\ES or \\daxps.csun.edu\ES and click
OK.
4. The ITR\Network Engineering & Operations organizational unit appears as
shown in Figure 13 below:
5. Users can now see this volume while browsing in the directory.
24
Step-by-Step Guide to Managing the Active Directory
Publishing a Printer
This section describes the processes for publishing printers in a Windows 2000 Active
Directory-based network.
For this section of this guide, you must have a printer available and know its IP
Note: address. If you do not have an IP printer, you can still run through these proce-
dures, substituting the correct port for Standard TCP/IP Port.
After you create the printer, the printer is automatically published in Active Directory
and the Listed in the Directory check box is selected.
25
Step-by-Step Guide to Managing the Active Directory
You might also need to find the server from which a printer is shared out before add-
ing it to the machine you are working on.
To locate a printer
1. Click Start, point to Settings, and then click on Printers.
2. Double-click the Add Printer icon.
3. In the Add Printer Wizard dialog box, click the Next button.
4. Select the Network printer button, and then click Next.
5. Select the Find a printer in the Directory button, and then click Next.
6. The Find Printers dialog box displays. If you know which domain your
printer resides in, click the Browse button and choose that domain to narrow
your search. Then, on the Printer tab, add the printer Name, Location, or
Model to those text boxes, and click the Find Now button.
If you do not know the name, location, or model of the printer, you can simply
Note: click the Find Now button, and all the printers in the domain you selected will be
listed in the list box.
To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs
script
1. Click Start, click Run, and type cmd in the text box. Click OK.
2. Type cd\ winnt/system32 and press Enter.
3. Type cscript pubprn.vbs printer server name where in this example
"LDAP://ou=ecs,dc=csun,dc=edu" and press Enter. This publishes the
printer to the specified OU.
This script copies only the following subset of the printer attributes:
Location
Model
Comment
UNCPath
You can add other attributes by using the Active Directory Users and Computers
snap-in.
26
Step-by-Step Guide to Managing the Active Directory
Note: You can rerun pubprn and it will update rather than overwrite existing printers.
Alternatively, you can use the Active Directory Users and Computers snap-in to
publish printers on non-Windows 2000 servers.
End users can realize the benefit of printers being published in the directory because
they can browse for printers, submit jobs to those printers, and install the printer driv-
ers directly from the server.
27
Step-by-Step Guide to Managing the Active Directory
Folder Redirection
The Folder Redirection extension to Group Policy is used to redirect such user-specific
folders as My Documents from the client to a server, facilitating administrative manage-
ment of user data.
28
Step-by-Step Guide to Managing the Active Directory
Folder only
Full Control, this folder, Full Control, this folder, sub-
Local System
subfolders and files folders and files
NTFS Permissions required for root folder
29
Step-by-Step Guide to Managing the Active Directory
Do not put the server share in a Distributed File System (DFS) tree
Using offline folders located in a Distributed File System (Dfs) tree is not
supported. If you do put shares configured for offline use in a Dfs tree, unex-
pected behavior, such as Access Denied errors, may occur when moving from
an offline to online state.
Not all types of files can be synchronized
By default, .mdb and .pst files are not synchronized as they have other mecha-
nisms of synchronizing.
Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
See Folder Redirection Tips and Tricks for details.
Leaving certain kinds of documents open can prevent entering standby mode.
When using offline folders, the original versions of Microsoft Word 2000and
Excel 2000 prevent the computer from going into standby mode when a doc-
ument or spreadsheet is open. This is fixed in Office 2000 SR1.
30
Step-by-Step Guide to Managing the Active Directory
On computers running Windows 2000 and above operating systems, user profiles auto-
matically create and maintain the desktop
31
Step-by-Step Guide to Managing the Active Directory
Note: CSUN Active Directory does not actively support the use of roaming profiles.
References to roaming profiles are for informational purposes only
Mandatory user profile--A mandatory user profile is a roaming profile that can be
used to specify particular settings for individuals or an entire group of users. Only
system administrators can make changes to mandatory user profiles.
Temporary user profile--A temporary profile is issued any time that an error con-
dition prevents the users profile from being loaded. Temporary profiles are delet-
ed at the end of each session. Changes made by the user to their desktop settings
and files are lost when the user logs off.
The user profile folders contain various items including the desktop and Start menu. The
following table lists and describes the contents of each user profile folder.
Local Settings Application data, history, and temporary files. Application data roams
with the user by way of roaming user profiles.
My Documents User documents and subfolders.
My Recent Doc- Shortcuts to the most recently used documents and accessed folders.
uments
NetHood Shortcuts to My Network Places items.
32
Step-by-Step Guide to Managing the Active Directory
NTuser.dat file
The NTuser.dat file is the registry portion of the user profile. When a user logs off of the
computer, the system unloads the user-specific section of the registry (that is,
HKEY_CURRENT_USER) into NTuser.dat and updates it. For more information about
the registry, see http://www.microsoft.com/resources/documentation/WindowsServ/2003/
standard/proddocs/en-us/sag_ntregconcepts_mply.asp.
Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders
are the only folders displayed in Windows Explorer by default. The NetHood,
PrintHood, Local Settings, Recent, and Templates folders are hidden and do not
appear in Windows Explorer. To view these folders and their contents in Win-
dows Explorer, on the Tools menu, point to Folder options, click the View tab,
and then click Show hidden files and folders.
Note: On computers running Windows operating systems with the NTFS file system,
only members of the Administrators group can create, delete, or modify the
common program groups.
33
Step-by-Step Guide to Managing the Active Directory
Note: To perform this procedure, you must be a member of the Administrators group
on the local computer, or you must have been delegated the appropriate authori-
ty. If the computer is joined to a domain, members of the Domain Admins group
might be able to perform this procedure. As a security best practice, consider us-
ing Run as to perform this procedure.
Note: To open System, click Start, click Control Panel, click Performance and
Maintenance, and then click System.
Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders
are the only folders displayed in Windows Explorer by default. The NetHood,
PrintHood, Local Settings, Recent, and Templates folders are hidden and do not
appear in Windows Explorer. To view these folders and their contents in Win-
dows Explorer, on the Tools menu, point to Folder options, click the View tab,
and then click Show hidden files and folders.
Note: You cannot copy or delete a user profile that belongs to the currently logged on
user or any user whose profile is in use.
Note: If you copy the profile to a new location, you must update the User Profile Path
entry for the user's account to refer to this new location as well.
Note: You cannot use Windows Explorer or any other file management utility to copy
user profiles.
34
Step-by-Step Guide to Managing the Active Directory
If you are using a roaming profile and install a program on one computer
while simultaneously logged on to another computer, you might overwrite
crucial program-related registry settings stored in your roaming profile, thus
preventing you from running those programs.
For example: You are logged on to computer A and computer B. You install a
program on computer B and then log off computer B. Computer B stores the
shortcuts for the application, and the registry is saved to your roaming profile.
Computer A does not get updated profile information until you log off and log
on again.
Caution:
When you log off from computer A, however, the computer writes to the reg-
istry stored in the roaming profile (which now includes the Microsoft Win-
dows Installer (MSI) registration for the program you installed on computer
B) with the stale registry information from computer A. The program
shortcuts remain in your roaming profile but the Windows Installer data
stored in the registry settings is lost, preventing you from running the pro-
grams.
You can repair your roaming profile by repairing or reinstalling the program
on computer B or by installing the program on computer A.
35
Step-by-Step Guide to Managing the Active Directory
To open System, click Start, click Control Panel, click Performance and
Note:
Maintenance, and then click System.
You cannot copy or delete a user profile that belongs to the currently logged
Note:
on user or any user whose profile is in use.
The first time a user logs on, a copy of the preconfigured user profile is re-
turned from the server instead of a copy of the default profile on the local
Note: computer. Thereafter, the user profile functions the same as a standard roam-
ing user profile does. Each time the user logs off, the user profile is saved lo-
cally and is also copied to the server.
The Windows operating system does not support the use of encrypted files
Note:
within the roaming user profiles.
Roaming user profiles used with Terminal Services clients are not replicated
Note: to the server until the interactive user logs off and the interactive session is
closed.
36
Step-by-Step Guide to Managing the Active Directory
o The best way is with folder redirection. If you do not have Active Direc-
tory enabled, you can do this with a logon script or instruct the user to do
so.
Do not use Encrypted File System (EFS) with roaming user profiles, offline fold-
ers, or File Replication Service (FRS).
o EFS is not compatible with roaming user profiles, offline folders, or FRS.
Don't set disk quotas too low for users with roaming profiles
o If a user's disk quotas are set too low, roaming profile synchronization
may fail. Make sure enough disk space is allocated to allow the system to
create a temporary duplicate copy of a user's profile. The temporary pro-
file is created in the user's context as part of the synchronization process,
so it debits his or her quota.
Do not use offline folders on roaming profile shares.
o Make sure that you turn off offline files for shares where roaming user
profiles are stored. If you do not turn off offline folders for a user's pro-
file, you may experience synchronization problems as both offline folders
and roaming profiles try to synchronize the files in a user's profile.
Note: This does not affect using offline folders with redirected My Documents etc.
Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
o See Folder Redirection Tips and Tricks for details.
If roaming profiles are stored on a Windows NT 4.0 share, ensure that users are
given "Full Control" share permissions.
o If you are using Windows 2000 Professional in a Windows NT 4.0 do-
main, and the server hosting the profile share is a Windows NT 4.0 com-
puter, make sure that users are given Full Control share permissions. Not
having the share permissions set to Full Control will result in profiles not
synchronizing. The event log will contain errors such as :
37
Step-by-Step Guide to Managing the Active Directory
This problem occurs because Change permission does not allow WRITE_DAC access,
so the system cannot copy ACL’s. Windows 2000 copies Roaming Profiles ACL’s,
whereas Windows NT 4.0 does not.
38
Step-by-Step Guide to Managing the Active Directory
Attachments:
39
Step-by-Step Guide to Managing the Active Directory
Note: The Full name is automatically filled in after you enter the First and Last names.
You have now created an account for James Smith in the /ITR/Network Engineer-
ing & Operations OU. To add additional information about this user:
40