Professional Documents
Culture Documents
Step-by-Step Guide To Managing The Active Directory
Step-by-Step Guide To Managing The Active Directory
Active Directory
Step-by-Step Guide to Managing the Active Directory
Version Date of
Author(s) Brief Description of Change(s)
Number Issue
1.00 2/10/04 D. Aragon Initial Version
1.01 5/12/04 D. Aragon Added section on user profiles.
Added Document Control Table and Table of
1.02 5/21/04 D. Aragon
Contents.
Added security warning and corrected
1.03 7/26/04 D. Aragon
several typo’s.
Updated guide to reflect procedures for
1.04 3/15/07 D. Aragon
Windows Server 2003 Active Directory FFL.
ii
Step-by-Step Guide to Managing the Active Directory
Table of Contents
Introduction..........................................................................................................................1
Prerequisites.........................................................................................................................1
In this Step-by-Step Guide...................................................................................................1
Using the Active Directory Users and Computers Snap-in tool..........................................2
Recognizing Active Directory Objects................................................................................3
Adding an Organizational Unit............................................................................................5
Creating a Computer Object................................................................................................6
Adding a Computer to the Domain......................................................................................9
Managing Computer Objects.............................................................................................10
Managing a Remote Computer..........................................................................................10
Creating a Group................................................................................................................13
Adding a User to a Group..................................................................................................13
Nested Groups...................................................................................................................15
Creating Nested Groups.....................................................................................................16
Finding Specific Objects....................................................................................................17
Filtering a List of Objects..................................................................................................18
Writing a Group Policy Object..........................................................................................19
Create a Group Policy Object............................................................................................20
Edit a Group Policy Object................................................................................................21
Use an ADM file to create a GPO.....................................................................................22
Publishing a Shared Folder................................................................................................23
To publish the shared folder in the directory.....................................................................23
To browse the directory.....................................................................................................24
Publishing a Printer............................................................................................................25
Windows 2000 Printers......................................................................................................25
To add a new printer..........................................................................................................25
To locate a printer..............................................................................................................26
Adding Non-Windows 2000 Printers.................................................................................26
To use the Active Directory Users and Computers snap-in to publish printers.................27
Folder Redirection.............................................................................................................28
Let the system create folders for each user........................................................................28
Use offline folder settings on the server share where the user's info is stored..................29
Policy removal considerations...........................................................................................30
Offline Folders Tips and Tricks.........................................................................................30
User profiles overview.......................................................................................................30
Advantages of using user profiles......................................................................................31
User profile types...............................................................................................................31
Contents of a user profile...................................................................................................32
NTuser.dat file...................................................................................................................33
All Users folder..................................................................................................................33
To copy a user profile........................................................................................................33
To create a preconfigured user profile...............................................................................35
User Profiles and Roaming User Profiles Tips and Tricks................................................36
Attachments:......................................................................................................................39
Creating a Local User Account..........................................................................................39
iii
Step-by-Step Guide to Managing the Active Directory
To create a new local user account....................................................................................39
iv
Step-by-Step Guide to Managing the Active Directory
Introduction
ITR in conjunction with TSAG Members have been tasked with implementation of the
policies and management of the top level (root) organizational unit (OU) along with
implementing TSAG approved changes to the schema and top level (root) Group Policy
Object (GPO). As local autonomy of the individual colleges and organizations
represented at the first level OU is desired, local administration of these OU’s will fall on
TSAG members or their appointed representatives. This guide is provided to TSAG
Members as an introduction to the administration of the Active Directory service and the
Active Directory Users and Computers snap-in. This snap-in allows you to add, move,
delete, and alter the properties for objects such as users, contacts, groups, servers,
printers, and shared folders. It is available for download as part of the Active Directory
administrative tools from the Active Directory web site
(http://www.csun.edu/tsag/activedirectory). The Active Directory administrative tools
can only be used from a computer with access to a domain.
Prerequisites
This document is based on the following documents and web pages:
Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server
Deployment,
Part One: http://www.microsoft.com/technet/win2000/depprof1.asp,
Part Two: http://www.microsoft.com/technet/win2000/depprof2.asp, and
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/howto/managad.asp.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/director
y/activedirectory/stepbystep/admng.mspx
This document assumes you are familiar with Windows 2003 or Windows XP and that
you have Administrative authority for your OU (i.e. you have an “a under-bar” account).
1
Step-by-Step Guide to Managing the Active Directory
Additional Useful Information
Policy Removal Considerations
Offline Folder Tips and Tricks
User Profile Overview
User Profiles and Roaming User Profiles Tips and Tricks
Attachments
Creating a User Account
Group Policy Object Settings Explanation
Root Group Policy Object settings
Blank Group Policy Object Worksheet
If you have not done so already, install the Administrative Package found on the
Active Directory Administration Web Site (www.csun.edu/tsag/activedirectory).
Download and install the correct administrative package for your operating
Note:
system (admin2k.exe for Windows 2000 or adminxp.exe for Windows XP or
Windows Server 2003). This will install the proper snap-in referenced in this
section.
1. To start the Active Directory Users and Computers snap-in, click Start, point to
Programs, point to Administrative Tools, and then click Active Directory
Users and Computers.
2. Expand csun.edu by clicking the +.
3. Figure 1 below displays the key components of the Active Directory Users and
Computers snap-in for csun.edu.
2
Step-by-Step Guide to Managing the Active Directory
3
Step-by-Step Guide to Managing the Active Directory
move it. You must get an Active Directory
Enterprise Administrator to move these objects.
4
Step-by-Step Guide to Managing the Active Directory
Shared printer A shared printer is a network printer that has
been published in the directory
You can create nested organizational units and there is no limit to the nesting
Note: levels, though Microsoft suggests that nesting more than five levels deep might
slow the logon process.
These steps follow the Active Directory structure begun in the "Step-by-Step Guide to a
Common Infrastructure for Windows 2000 Server Deployment"
http://www.microsoft.com/technet/win2000/depprof1.asp. For your own organization,
add the OU’s under your organizational OU contained within the csun.edu active
directory forest.
You are not allowed to add a first level OU. Unauthorized first level OU’s will
Note:
be deleted without warning.
When you are finished, you should have a hierarchy similar to Figure 2 below:
5
Step-by-Step Guide to Managing the Active Directory
6
Step-by-Step Guide to Managing the Active Directory
Note: Each object name must be unique within the entire Active Directory.
To view the name of the computer you plan to add to Active Directory.
a. To view the computers name in Windows 2000
i. Right click on My Computer
ii. Click on Properties
iii. In panel on the left side, click the Network Identification
link
iv. Computer Name is shown as Full Computer Name (use
portion preceding the .csun.edu if it is present).
v. For example if the full computer name is daxps.csun.edu,
Note:
the computer name you will want to enter is daxps.
b. To view the computers name in Windows XP
i. Right Click on My Computer
ii. Click on Properties
iii. Click on Computer Name Tab
iv. Computer Name is shown as Full Computer Name (use
portion preceding the .csun.edu if it is present).
v. For example if the full computer name is daxps.csun.edu,
the computer name you will want to enter is daxps..
7
Step-by-Step Guide to Managing the Active Directory
Figure 3 Computer Name
Naming a computer with the name of the primary user may present an
unnecessary security risk by alerting those who may be snooping on the network
Note: of the identity of the user of a particular machine, thereby making a particular
machine a target of a directed attack. From a security stand point, it would be
better to name the computers in your OU something less identifying.
If you cannot see the Security tab, from the top line menu select View and select
Note:
Advanced Features.
8
Step-by-Step Guide to Managing the Active Directory
1. Open up a command window (Select Start, select Run and type cmd in the text
box)
2. At the prompt, type: net time /setsntp:ntp.csun.edu
3. You should get a response that states: The command completed successfully.
4. Type: net stop w32time
5. You should get a response that states: The Windows Time service was stopped
successfully.
6. Type: net start w32time
7. You should get a response that states: The Windows Time service was started
successfully.
9
Step-by-Step Guide to Managing the Active Directory
8. Close the command window.
The following example assumes that you are working from a system and with an
Note: account that has management privileges on the system being managed and that
the system being managed is currently running.
1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU and expand it by clicking the +. Repeat this process
until you get down to the level of the computer you wish to remotely manage.
3. Right-click the computer object and then click Manage.
4. If you are authorized to do so, a management window will open as shown in
Figure 5. If the system can not be remotely managed a warning will be issues
(figure 6) and a management window will open as shown in Figure 7. If you are
not authorized a management window will open as shown in Figure 8. .
10
Step-by-Step Guide to Managing the Active Directory
11
Step-by-Step Guide to Managing the Active Directory
12
Step-by-Step Guide to Managing the Active Directory
Creating a Group
A group is a container for people who have something in common and that need to be
managed in a similar fashion. A few examples of the members that might be used to form
a group could include students in a specific class are the only ones authorized to utilize
the resources of a particular computer lab or the administrative staff. However, a group
could just as easily be those people with birthdays in August.
For example, to create a group called Comp100Users in the ECS OU:
1. Right-click the ECS OU, click New, and then click Group.
2. In the Name of New Group text box, type: Comp100Users
3. Select the appropriate Group type and Group scope and then click OK.
The Group type indicates whether the group can be used to assign
permissions to other network resources, such as files and printers.
The Group scope determines the visibility of the group and what type of
objects can be contained within the group.
13
Step-by-Step Guide to Managing the Active Directory
14
Step-by-Step Guide to Managing the Active Directory
Nested Groups
Nested groups allow you to provide college-wide or department-wide access to resources
with minimum maintenance. Placing every user account into a single college-wide
resource group is not an effective solution because it requires the creation and
maintenance of a large number of membership links. To use nested groups, administrators
create a series of account groups that represent the managerial divisions of the college or
unit.
15
Step-by-Step Guide to Managing the Active Directory
For example, the top account group might be called "ECS Users," and would be attached
to a resource group that gives access to resources and shared directories. The next level
might contain account groups that represent major divisions of the college for example
CEAM, ME, CS, ECE, and MSEM. Each group at this level is a member of ECS Users,
and is attached to a resource group giving access to shares and other resources
appropriate to the division it represents.
Within a division, the next level of account groups might represent departments. Shared
resources for the department might include project schedules, meeting schedules,
vacation schedules, or any network information appropriate to the whole department. The
department account groups are all members of the division account group.
Within a department, the management structure can be organized into security groups to
any required level of specificity. These might be team account groups and might
represent leaf nodes in the organization’s hierarchical tree.
With this group hierarchy in place, you can give a new employee or student assistant
instant access to the resources of the team, department, the division, and the college as a
whole by placing the user in a team account group. This system supports the principle of
least access because the new employee or student assistant cannot view the resources of
adjacent teams, other departments, or other divisions.
1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU (ECS in our example) and expand it by clicking the +.
Repeat this process until you get down to the level where you wish to create a
group(ex. OU=Groups,OU=CECS,OU=ECS,DE=CSUN,DC=EDU).
3. Create a new group by right-clicking Groups, pointing to New, and then clicking
Group. Type ECS Users, and then click OK.
4. Right-click the ECS Users Group, and then click Properties.
5. Click the Members tab, and then click Add.
6. In the Enter the objects name to select box, type CECS, and then click OK.
7. Click OK again. A nested group has been created.
8. Repeat steps 3 through 7 if additional nesting is required.
16
Step-by-Step Guide to Managing the Active Directory
Finding Specific Objects
In a large directory deployment like ours, it may be unreasonable to browse a
comprehensive list of objects in search of a unique object (we have over 400,000 objects
in our Active Directory). Often, it is more efficient to find specific objects that meet a
certain criteria. In the following example, you will find all users who have a first name
starting with “Zeph” in the CSUN domain.
The same procedure is also valid for last names or UID’s. Additionally changing
the Find dropdown will allow you to search for a number of other object types
Note:
including computers, printers, shared folders, OU’s using the same general
procedure.
17
Step-by-Step Guide to Managing the Active Directory
3. If what you are searching for isn’t in any of the lists above you need to do an
advanced search. Click the Advanced tab. In the Field drop-down list, select
Group, and then click Name.
4. Type Comp for Value, and then click Add. Click Find Now. Your results should
be similar to those shown in Figure 12
5. Select the one or more user objects you were looking for, double click to open the
objects.
6. Close the Find User, Contacts, and Groups window.
18
Step-by-Step Guide to Managing the Active Directory
To create a filter designed to display Groups only
1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU (COBAE in our example) and expand it by clicking the
+. You should see a mixture of OU’s, computers and groups.
3. Click the View menu, and then click Filter Options.
4. Click the radio button for Show only the following types of objects, select
Groups, and then click OK.
5. Reselect the appropriate OU (COBAE in our example) and expand it by clicking
the +. Verify the filtering results. You should now only see a mixture of OU’s and
groups.
6. Remove the filter.
Three nodes exist under the Computer Configuration and User Configuration parent
nodes: Software Settings, Windows Settings, and Administrative Templates. The
Software Settings and Windows Settings nodes contain extension snap-ins that extends
either or both of the Computer Configuration or User Configuration nodes. Most of the
extension snap-ins extends both of these nodes, but frequently with different options.
The Administrative Templates node namespace contains all policy settings pertaining to
the registry.
Several documents are attached to help in deciding which settings are appropriate and
which are necessary.
GPO Settings Explanations – This document goes through each setting and
gives a brief explanation of what it does
Root (overridable and non-overrideable) GPO Settings – A listing of the
settings that have been implemented at the root. Some of these settings are
overridable and describe best practice, while others are not overrideable,
describing policy. In both cases the settings apply to all systems and users in
Active Directory.
Note: To increase the security of the Active Directory Forest, the only users granted
accesses to objects in the Active Directory from the root are members of the
19
Step-by-Step Guide to Managing the Active Directory
Enterprise and Local Administrative group. The permission to login to a system
will need to be allocated to the user via permissions given from a GPO placed
within the local administrators OU. The so-called “account/account” will also be
blocked, unless granted access privilege.
Note: The no override setting on user settings is reserved for the root level GPO. It
should not be used by any local administrator on settings designed for user
behavior modification, as this setting will cause the User GPO settings to be
propagated throughout the entire forest.
Note: A GPO has been developed to automatically map a network drive to the U-drive
share for a user as they log on to the system. This GPO is disabled for all users.
If a local administrator wished to enable it, please forward a request to an
Enterprise Administrator identifying the OU and the name of the Group to
enable.
Note: While the Computer GPO’s can be set as not overrideable (though this practice is
not recommended), the User GPO’s must be overrideable and must have the
Authenticated User security settings for both read and apply disabled and the
group the GPO applies to added with the read and apply GPO enabled.
1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.
Note: This may require you to click the + next to your OU to expand it.
Note: There is currently no universal naming convention at CSUN for GPO’s, however,
as all GPO’s are stored in a single folder GPO names must start with the name of
20
Step-by-Step Guide to Managing the Active Directory
the first level OU responsible for it. For example all GPO’s for ITR will start
with “ITR-“, also if a User GPO is being developed for use in conjunction with a
Computer GPO they both should have the same name with a “–u” or “–c”
appended to the end of the name.
Note: You should note that the number of User GPO’s that are applied to a user affect
the logon processing time and the number of Computer GPO’s applied affects the
boot time. This time can be reduced by disabling the unused half of the GPO.
To do this, right-click the GPO, click Properties, click either Disable Computer
Configuration settings or Disable User Configuration settings, and then click
OK. These options are available on the GPO Properties page, on the General
tab.
Note: This may require you to click the + next to your OU to expand it.
Note: Changing a setting from either Enabled or Disabled to “Not Defined” will not
delete the local setting. Once defined, the best way to change a setting is to
select the opposite setting from the original (Enabled changes to Disabled and
vice versa).
21
Step-by-Step Guide to Managing the Active Directory
9. When you are finished exit the GPO editor, changes will be saved automatically.
The new GPO will be applied to all systems from that OU and below either the
next time a user logs on to a system in that OU or at the next system wide update
(within 90 minutes).
Note: Two .adm files are provided for use or as examples. The first sets the local
computer up to point to the Software Update Service (SUS) server. This SUS
server can either be local to the OU or the one provided and maintained by the
ITR. The purpose of the SUS server is to reduce bandwidth usage and provide
local systems with an unassisted ability to receive and install critical updates
automatically at a given time and on a given day. The second .adm file provides
the local administrator the ability to limit the user’s ability to do specific things.
This .adm file is useful in a computer laboratory setting where limits need to be
in place.
Once an .adm file is created it needs to be integrated into a GPO (both for testing and for
implementation). The integration is accomplished as follows (assuming the GPO exists):
1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.
Note: This may require you to click the + next to your OU to expand it.
22
Step-by-Step Guide to Managing the Active Directory
11. If your .adm file was successfully loaded, you will be returned to the dialog that
you saw in Step 8. In this case click on Close. Your policy template has been
added successfully. Skip all the steps below.
12. If your .adm file was not successfully loaded, you will be presented with a dialog
displaying the errors that occurred during the loading of .adm.
13. At this point, make a note of the errors that were found. Click on OK.
14. You will be returned to the dialog that you saw during Step 8. Although your .adm
file was not successfully loaded, it will still appear in the list of .adm files loaded.
15. Select your .adm file, and click on Remove.
16. Click on Close.
17. You are now back to the Group Policy snap-in. At this point, edit your .adm file
and correct any problems. Then repeat this process again starting from Step 6, to
try to load your .adm template again.
23
Step-by-Step Guide to Managing the Active Directory
Publishing a Printer
This section describes the processes for publishing printers in a Windows 2000 Active
Directory-based network.
24
Step-by-Step Guide to Managing the Active Directory
You can publish a printer shared by a computer running Windows 2000 by using the
Sharing tab of the printer Properties dialog box. By default, Listed in the directory is
enabled. The directory is the Active Directory data store. (This means that Windows
2000 Server publishes the shared printer by default.) The print subsystem will
automatically propagate changes made to the printer attributes (location, description,
loaded paper, and so forth) to the directory.
For this section of this guide, you must have a printer available and know its IP
Note: address. If you do not have an IP printer, you can still run through these
procedures, substituting the correct port for Standard TCP/IP Port.
After you create the printer, the printer is automatically published in Active Directory
and the Listed in the Directory check box is selected.
You might also need to find the server from which a printer is shared out before
adding it to the machine you are working on.
To locate a printer
1. Click Start, point to Settings, and then click on Printers.
2. Double-click the Add Printer icon.
3. In the Add Printer Wizard dialog box, click the Next button.
4. Select the Network printer button, and then click Next.
5. Select the Find a printer in the Directory button, and then click Next.
25
Step-by-Step Guide to Managing the Active Directory
6. The Find Printers dialog box displays. If you know which domain your
printer resides in, click the Browse button and choose that domain to narrow
your search. Then, on the Printer tab, add the printer Name, Location, or
Model to those text boxes, and click the Find Now button.
If you do not know the name, location, or model of the printer, you can simply
Note: click the Find Now button, and all the printers in the domain you selected will be
listed in the list box.
To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs
script
1. Click Start, click Run, and type cmd in the text box. Click OK.
2. Type cd\ winnt/system32 and press Enter.
3. Type cscript pubprn.vbs printer server name where in this example
"LDAP://ou=ecs,dc=csun,dc=edu" and press Enter. This publishes the
printer to the specified OU.
This script copies only the following subset of the printer attributes:
Location
Model
Comment
UNCPath
You can add other attributes by using the Active Directory Users and Computers
snap-in.
Note: You can rerun pubprn and it will update rather than overwrite existing printers.
Alternatively, you can use the Active Directory Users and Computers snap-in to
publish printers on non-Windows 2000 servers.
26
Step-by-Step Guide to Managing the Active Directory
The New Object-Printer dialog box pops up. In the text box, type the path to the
printer, such as \\server\share name. Click OK.
End users can realize the benefit of printers being published in the directory because
they can browse for printers, submit jobs to those printers, and install the printer
drivers directly from the server.
Folder Redirection
The Folder Redirection extension to Group Policy is used to redirect such user-specific
folders as My Documents from the client to a server, facilitating administrative
management of user data.
27
Step-by-Step Guide to Managing the Active Directory
Let the system create folders for each user
To ensure that folder redirection works as well as possible, create the root share only on
the server, and let the system create the folders for each user. For the best experience, set
the share permissions to Full Control for the security groups you are redirecting, and set
the NTFS permissions for Everyone to Full Control, this folder, subfolders and files. If
you must create folders for the users, ensure that you have the correct permissions set.
The tables below shows the default and minimum permissions required for folder
redirection.
Folder Redirection
User Account Minimum permissions needed
Defaults
Folder Redirection
User Account Minimum permissions needed
Defaults
Folder Redirection
User Account Minimum permissions needed
Defaults
28
Step-by-Step Guide to Managing the Active Directory
Traverse Folder, Read
Attributes, Read Extended
Everyone Everyone - no permissions
Attributes and Read
Permissions
NTFS Permissions required for each user's redirected folder
29
Step-by-Step Guide to Managing the Active Directory
Offline Folders Tips and Tricks
Do not put the server share in a Distributed File System (DFS) tree
Using offline folders located in a Distributed File System (Dfs) tree is not
supported. If you do put shares configured for offline use in a Dfs tree,
unexpected behavior, such as Access Denied errors, may occur when moving
from an offline to online state.
Not all types of files can be synchronized
By default, .mdb and .pst files are not synchronized as they have other
mechanisms of synchronizing.
Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
See Folder Redirection Tips and Tricks for details.
Leaving certain kinds of documents open can prevent entering standby mode.
When using offline folders, the original versions of Microsoft Word 2000and
Excel 2000 prevent the computer from going into standby mode when a
document or spreadsheet is open. This is fixed in Office 2000 SR1.
30
Step-by-Step Guide to Managing the Active Directory
each time the user logs on. For more information on mandatory profiles, see
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-us/sag_UP_Create_Mandatory_Profile.asp.
You can specify the default user settings that will be included in all of the
individual user profiles.
Note: CSUN Active Directory does not actively support the use of roaming profiles.
References to roaming profiles are for informational purposes only
Mandatory user profile--A mandatory user profile is a roaming profile that can be
used to specify particular settings for individuals or an entire group of users. Only
system administrators can make changes to mandatory user profiles.
Temporary user profile--A temporary profile is issued any time that an error
condition prevents the users profile from being loaded. Temporary profiles are
deleted at the end of each session. Changes made by the user to their desktop
settings and files are lost when the user logs off.
The user profile folders contain various items including the desktop and Start menu. The
following table lists and describes the contents of each user profile folder.
User profile
Contents
folder
Program-specific data (for example, a custom dictionary). Program
Application Data
vendors decide what data to store in this user profile folder.
31
Step-by-Step Guide to Managing the Active Directory
Cookies User information and preferences.
Desktop Desktop items, including files, shortcuts, and folders.
Favorites Shortcuts to favorite locations on the Internet.
Application data, history, and temporary files. Application data roams
Local Settings
with the user by way of roaming user profiles.
My Documents User documents and subfolders.
My Recent
Shortcuts to the most recently used documents and accessed folders.
Documents
NetHood Shortcuts to My Network Places items.
PrintHood Shortcuts to printer folder items.
SendTo Shortcuts to document-handling utilities.
Start Menu Shortcuts to program items.
Templates User template items.
NTuser.dat file
The NTuser.dat file is the registry portion of the user profile. When a user logs off of the
computer, the system unloads the user-specific section of the registry (that is,
HKEY_CURRENT_USER) into NTuser.dat and updates it. For more information about
the registry, see http://www.microsoft.com/resources/documentation/WindowsServ/2003/
standard/proddocs/en-us/sag_ntregconcepts_mply.asp.
Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are
the only folders displayed in Windows Explorer by default. The NetHood,
PrintHood, Local Settings, Recent, and Templates folders are hidden and do not
appear in Windows Explorer. To view these folders and their contents in
Windows Explorer, on the Tools menu, point to Folder options, click the View
tab, and then click Show hidden files and folders.
Note: On computers running Windows operating systems with the NTFS file system,
32
Step-by-Step Guide to Managing the Active Directory
only members of the Administrators group can create, delete, or modify the
common program groups.
Note: To perform this procedure, you must be a member of the Administrators group
on the local computer, or you must have been delegated the appropriate
authority. If the computer is joined to a domain, members of the Domain Admins
group might be able to perform this procedure. As a security best practice,
consider using Run as to perform this procedure.
Note: To open System, click Start, click Control Panel, click Performance and
Maintenance, and then click System.
Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are
the only folders displayed in Windows Explorer by default. The NetHood,
PrintHood, Local Settings, Recent, and Templates folders are hidden and do not
appear in Windows Explorer. To view these folders and their contents in
Windows Explorer, on the Tools menu, point to Folder options, click the View
tab, and then click Show hidden files and folders.
Note: You cannot copy or delete a user profile that belongs to the currently logged on
user or any user whose profile is in use.
33
Step-by-Step Guide to Managing the Active Directory
Note: If you copy the profile to a new location, you must update the User Profile Path
entry for the user's account to refer to this new location as well.
Note: You cannot use Windows Explorer or any other file management utility to copy
user profiles.
34
Step-by-Step Guide to Managing the Active Directory
If you are using a roaming profile and install a program on one computer
while simultaneously logged on to another computer, you might overwrite
crucial program-related registry settings stored in your roaming profile, thus
preventing you from running those programs.
For example: You are logged on to computer A and computer B. You install a
program on computer B and then log off computer B. Computer B stores the
shortcuts for the application, and the registry is saved to your roaming profile.
Computer A does not get updated profile information until you log off and log
on again.
Caution:
When you log off from computer A, however, the computer writes to the
registry stored in the roaming profile (which now includes the Microsoft
Windows Installer (MSI) registration for the program you installed on
computer B) with the stale registry information from computer A. The
program shortcuts remain in your roaming profile but the Windows Installer
data stored in the registry settings is lost, preventing you from running the
programs.
You can repair your roaming profile by repairing or reinstalling the program
on computer B or by installing the program on computer A.
To open System, click Start, click Control Panel, click Performance and
Note:
Maintenance, and then click System.
You cannot copy or delete a user profile that belongs to the currently logged
Note:
on user or any user whose profile is in use.
The first time a user logs on, a copy of the preconfigured user profile is
returned from the server instead of a copy of the default profile on the local
Note: computer. Thereafter, the user profile functions the same as a standard
roaming user profile does. Each time the user logs off, the user profile is
saved locally and is also copied to the server.
35
Step-by-Step Guide to Managing the Active Directory
The Windows operating system does not support the use of encrypted files
Note:
within the roaming user profiles.
Roaming user profiles used with Terminal Services clients are not replicated
Note: to the server until the interactive user logs off and the interactive session is
closed.
Note: This does not affect using offline folders with redirected My Documents etc.
Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
o See Folder Redirection Tips and Tricks for details.
If roaming profiles are stored on a Windows NT 4.0 share, ensure that users are
given "Full Control" share permissions.
36
Step-by-Step Guide to Managing the Active Directory
o If you are using Windows 2000 Professional in a Windows NT 4.0
domain, and the server hosting the profile share is a Windows NT 4.0
computer, make sure that users are given Full Control share permissions.
Not having the share permissions set to Full Control will result in profiles
not synchronizing. The event log will contain errors such as :
This problem occurs because Change permission does not allow WRITE_DAC access,
so the system cannot copy ACL’s. Windows 2000 copies Roaming Profiles ACL’s,
whereas Windows NT 4.0 does not.
37
Step-by-Step Guide to Managing the Active Directory
Attachments:
38
Step-by-Step Guide to Managing the Active Directory
You have now created an account for James Smith in the /ITR/Network Engineering
& Operations OU. To add additional information about this user:
39