Step-by-Step Guide to Managing the

Active Directory
 Step-by-Step Guide to Managing the Active Directory

Document Change Control Table

Version Date of
Author(s) Brief Description of Change(s)
Number Issue
1.00 2/10/04 D. Aragon Initial Version
1.01 5/12/04 D. Aragon Added section on user profiles.
Added Document Control Table and Table of
1.02 5/21/04 D. Aragon
Contents.
Added security warning and corrected
1.03 7/26/04 D. Aragon
several typo’s.
Updated guide to reflect procedures for
1.04 3/15/07 D. Aragon
Windows Server 2003 Active Directory FFL.

ii
 Step-by-Step Guide to Managing the Active Directory
Table of Contents
Introduction..........................................................................................................................1
Prerequisites.........................................................................................................................1
In this Step-by-Step Guide...................................................................................................1
Using the Active Directory Users and Computers Snap-in tool..........................................2
Recognizing Active Directory Objects................................................................................3
Adding an Organizational Unit............................................................................................5
Creating a Computer Object................................................................................................6
Adding a Computer to the Domain......................................................................................9
Managing Computer Objects.............................................................................................10
Managing a Remote Computer..........................................................................................10
Creating a Group................................................................................................................13
Adding a User to a Group..................................................................................................13
Nested Groups...................................................................................................................15
Creating Nested Groups.....................................................................................................16
Finding Specific Objects....................................................................................................17
Filtering a List of Objects..................................................................................................18
Writing a Group Policy Object..........................................................................................19
Create a Group Policy Object............................................................................................20
Edit a Group Policy Object................................................................................................21
Use an ADM file to create a GPO.....................................................................................22
Publishing a Shared Folder................................................................................................23
To publish the shared folder in the directory.....................................................................23
To browse the directory.....................................................................................................24
Publishing a Printer............................................................................................................25
Windows 2000 Printers......................................................................................................25
To add a new printer..........................................................................................................25
To locate a printer..............................................................................................................26
Adding Non-Windows 2000 Printers.................................................................................26
To use the Active Directory Users and Computers snap-in to publish printers.................27
Folder Redirection.............................................................................................................28
Let the system create folders for each user........................................................................28
Use offline folder settings on the server share where the user's info is stored..................29
Policy removal considerations...........................................................................................30
Offline Folders Tips and Tricks.........................................................................................30
User profiles overview.......................................................................................................30
Advantages of using user profiles......................................................................................31
User profile types...............................................................................................................31
Contents of a user profile...................................................................................................32
NTuser.dat file...................................................................................................................33
All Users folder..................................................................................................................33
To copy a user profile........................................................................................................33
To create a preconfigured user profile...............................................................................35
User Profiles and Roaming User Profiles Tips and Tricks................................................36
Attachments:......................................................................................................................39
Creating a Local User Account..........................................................................................39

iii
 Step-by-Step Guide to Managing the Active Directory
To create a new local user account....................................................................................39

iv
 Step-by-Step Guide to Managing the Active Directory

Introduction
ITR in conjunction with TSAG Members have been tasked with implementation of the
policies and management of the top level (root) organizational unit (OU) along with
implementing TSAG approved changes to the schema and top level (root) Group Policy
Object (GPO). As local autonomy of the individual colleges and organizations
represented at the first level OU is desired, local administration of these OU’s will fall on
TSAG members or their appointed representatives. This guide is provided to TSAG
Members as an introduction to the administration of the Active Directory service and the
Active Directory Users and Computers snap-in. This snap-in allows you to add, move,
delete, and alter the properties for objects such as users, contacts, groups, servers,
printers, and shared folders. It is available for download as part of the Active Directory
administrative tools from the Active Directory web site
(http://www.csun.edu/tsag/activedirectory). The Active Directory administrative tools
can only be used from a computer with access to a domain.

Prerequisites
This document is based on the following documents and web pages:
Step-by-Step How-To-Guide to the Common Infrastructure for Windows 2000 Server
Deployment,
Part One: http://www.microsoft.com/technet/win2000/depprof1.asp,
Part Two: http://www.microsoft.com/technet/win2000/depprof2.asp, and
http://www.microsoft.com/technet/prodtechnol/ad/windows2000/howto/managad.asp.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/director
y/activedirectory/stepbystep/admng.mspx
This document assumes you are familiar with Windows 2003 or Windows XP and that
you have Administrative authority for your OU (i.e. you have an “a under-bar” account).

In this Step-by-Step Guide

Common Administrative Tasks

 Adding an Organizational Unit
 Creating a Computer Object
 Adding a Computer to the Domain
 Creating Groups and Adding Members to Groups
 Creating or Editing a Group Policy Object
Advanced Administrative Tasks
 Publishing shared network resources, such as shared folders and printers
 Renaming, Moving, and Deleting Objects
 Creating Nested Groups
 Using Filters and Searches to retrieve objects
 Folder Redirection

1
 Step-by-Step Guide to Managing the Active Directory
Additional Useful Information
 Policy Removal Considerations
 Offline Folder Tips and Tricks
 User Profile Overview
 User Profiles and Roaming User Profiles Tips and Tricks
Attachments
 Creating a User Account
 Group Policy Object Settings Explanation
 Root Group Policy Object settings
 Blank Group Policy Object Worksheet

Using the Active Directory Users and Computers Snap-

in tool

For security reasons direct access to the Domain Controllers is prohibited.

Note: Maintenance of objects can only be performed through use of the Users and
Computers Snap-in.

If you have not done so already, install the Administrative Package found on the
Active Directory Administration Web Site (www.csun.edu/tsag/activedirectory).
Download and install the correct administrative package for your operating
Note:
system (admin2k.exe for Windows 2000 or adminxp.exe for Windows XP or
Windows Server 2003). This will install the proper snap-in referenced in this
section.

1. To start the Active Directory Users and Computers snap-in, click Start, point to
Programs, point to Administrative Tools, and then click Active Directory
Users and Computers.
2. Expand csun.edu by clicking the +.
3. Figure 1 below displays the key components of the Active Directory Users and
Computers snap-in for csun.edu.

2
 Step-by-Step Guide to Managing the Active Directory

Figure 1 The Active Directory Users and Computers Snap-In

Recognizing Active Directory Objects

The objects described in the following table are created during the installation of Active
Directory.

Icon Folder Description

Domain The root node of the snap-in represents the domain

being administered.

Default Contains all Windows NT, Windows 2000, Windows

Computers XP, and Windows Server 2003–based computers that
join our domain incorrectly. This includes computers
running Windows NT versions 3.51 and 4.0. If you
upgrade from a previous version, Active Directory
migrates the machine account to this folder.
Computers in this folder will display a message to
the user at logon, warning them the computer is in
the wrong location, and to notify their IT Tech to

3
 Step-by-Step Guide to Managing the Active Directory
move it. You must get an Active Directory
Enterprise Administrator to move these objects.

System Contains Active Directory systems and services

information.

Auth/People Contains all the users in the domain. Like

computers, the user objects can be moved, however,
this will cause them to become out of sync with the
enterprise and therefore moving a user object is not
allowed.

Users Contains all the user types in the domain.

You can use Active Directory to create the following objects.

Icon Object Description

User A user object is an object that is a security

principal in the directory. A user can log on to
the network with these credentials and access
permissions can be granted to users.

Contact A contact object is an account that does not have

any security permissions. You cannot log on to
the network as a contact. Contacts are typically
used to represent external users for the purpose of
e-mail.

Computer An object that represents a computer on the

network. For Windows NT-based workstations
and servers, this is the machine account.

Organizational Organizational units are used as containers to

Unit logically organize directory objects such as users,
groups, and computers in much the same way
that folders are used to organize files on your
hard disk.

Group Groups can have users, computers, and other

groups. Groups simplify the management of
large numbers of objects.

Shared Folder A shared Folder is a network share that has been

published in the directory.

4
 Step-by-Step Guide to Managing the Active Directory
Shared printer A shared printer is a network printer that has
been published in the directory

Adding an Organizational Unit

This procedure creates an organizational unit (OU) in the CSUN domain.

You can create nested organizational units and there is no limit to the nesting
Note: levels, though Microsoft suggests that nesting more than five levels deep might
slow the logon process.

These steps follow the Active Directory structure begun in the "Step-by-Step Guide to a
Common Infrastructure for Windows 2000 Server Deployment"
http://www.microsoft.com/technet/win2000/depprof1.asp. For your own organization,
add the OU’s under your organizational OU contained within the csun.edu active
directory forest.

You are not allowed to add a first level OU. Unauthorized first level OU’s will
Note:
be deleted without warning.

1. Click the + next to your OU to expand it.

2. Right-click the location you wish to insert the new OU under.
3. Point to New and click Organizational Unit. Type the name of your new
organizational unit. Click OK.
4. Repeat steps 2 and 3 above to create additional organizational units, as needed
For example, the screen shot in figure 2 shows
Organizational unit ITR under csun.edu.
Organizational unit Network Engineering & Operations under the ITR
organizational unit.
Organizational unit Computers and Groups Network Administration and
Operations under the Network Engineering & Operations organizational unit.
(To do this, right-click Network Engineering & Operations, point to New, and
then click Organizational Unit.)
Click Network Engineering & Operations so that its contents will display in the
right pane.

When you are finished, you should have a hierarchy similar to Figure 2 below:

5
 Step-by-Step Guide to Managing the Active Directory

Figure 2 New OUs

Creating a Computer Object

A computer object is created automatically when a computer joins a domain;
however, this places the computer object in the (first level) OU = Default Computers.
Additionally, a warning is displayed on the computer that pops up whenever someone
logs into the machine stating the system is in the wrong location and to contact his or
her local IT Tech staff or UHD to have it moved. To get it out of this OU and into
your OU requires an Active Directory Enterprise Administrator to move it for you. A
better method is for you to create the computer object before the computer joins a
domain so it will join in the correct OU.

There is no unified object naming conventions employed at CSUN, however,

Note: object naming should be standardized within your OU to enable the rapid and
correct identification of each object within your organization.

6
 Step-by-Step Guide to Managing the Active Directory
Note: Each object name must be unique within the entire Active Directory.

To view the name of the computer you plan to add to Active Directory.
a. To view the computers name in Windows 2000
i. Right click on My Computer
ii. Click on Properties
iii. In panel on the left side, click the Network Identification
link
iv. Computer Name is shown as Full Computer Name (use
portion preceding the .csun.edu if it is present).
v. For example if the full computer name is daxps.csun.edu,
Note:
the computer name you will want to enter is daxps.
b. To view the computers name in Windows XP
i. Right Click on My Computer
ii. Click on Properties
iii. Click on Computer Name Tab
iv. Computer Name is shown as Full Computer Name (use
portion preceding the .csun.edu if it is present).
v. For example if the full computer name is daxps.csun.edu,
the computer name you will want to enter is daxps..

7
 Step-by-Step Guide to Managing the Active Directory
Figure 3 Computer Name

Using the previous structure as an example, if we wanted to add a computer named

GDUHON to the Computers OU under the Network Engineering & Operations OU
we would complete the following tasks:

Naming a computer with the name of the primary user may present an
unnecessary security risk by alerting those who may be snooping on the network
Note: of the identity of the user of a particular machine, thereby making a particular
machine a target of a directed attack. From a security stand point, it would be
better to name the computers in your OU something less identifying.

1. Right-click the Computers organizational unit under the Network Engineering

& Operations OU, point to New, and then click Computer.
2. Type in the computer name: GDUHON.
3. You can manage this computer in the Active Directory Users and Computers
snap-in, by right clicking the computer object, and then clicking Manage.
4. Optionally, you can select which users are permitted to join a computer to the
domain. This allows the administrator to create the computer account and
someone with lesser permissions to install the computer and join it to the domain.
5. Once created, you should right click the object, select the Security tab. Insure
that your a_account is not present, if it is then remove it. Also insure your
Administrative group is listed. If it isn’t, then add it. Not doing this could restrict
your administrative control of this object.

If you cannot see the Security tab, from the top line menu select View and select
Note:
Advanced Features.

8
 Step-by-Step Guide to Managing the Active Directory

Figure 4 Adding a New Computer

Adding a Computer to the Domain

After creating a computer object but prior to first use, a computer must be physically
joined to the Domain. This process insures that the appropriate policies are applied. The
first step in this process is to ensure that the local computers clock is synchronized with
the network.

It is important to create the computer object in active directory prior to joining

the computer to the domain. If there is no object in active directory for the
Note: computer to join to, an object will be automatically created and placed in OU =
computers. You must then contact one of the e_account holders or a member of
ITR-Admin group to move it to its correct location.

1. Open up a command window (Select Start, select Run and type cmd in the text
box)
2. At the prompt, type: net time /setsntp:ntp.csun.edu
3. You should get a response that states: The command completed successfully.
4. Type: net stop w32time
5. You should get a response that states: The Windows Time service was stopped
successfully.
6. Type: net start w32time
7. You should get a response that states: The Windows Time service was started
successfully.

9
 Step-by-Step Guide to Managing the Active Directory
8. Close the command window.

Now join the computer to the network

9. Right click My Computer and select Properties

10. In Windows 2000 select Network Identification followed by Properties, in
Windows XP select Computer Name followed by Change.
11. Select Member of Domain and enter csun.edu or just csun.
12. You will be prompted to enter your username and password, use your a_account
name and password to authenticate your authority to perform this action.
13. If successful you will receive a notice welcoming you to the domain and
informing you to reboot the system.
14. Reboot the system.
15. Users may now logon to the csun domain

Managing Computer Objects

Computer objects in Active Directory can be managed directly from the Active Directory
Users and Computers snap-in. Computer Management is a component you can use to
view and control many aspects of the computer configuration. Computer Management
combines several administration utilities into a single console tree, providing easy access
to a local or remote computer's administrative properties and tools.

The following example assumes that you are working from a system and with an
Note: account that has management privileges on the system being managed and that
the system being managed is currently running.

Managing a Remote Computer

To manage a remote computer

1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU and expand it by clicking the +. Repeat this process
until you get down to the level of the computer you wish to remotely manage.
3. Right-click the computer object and then click Manage.
4. If you are authorized to do so, a management window will open as shown in
Figure 5. If the system can not be remotely managed a warning will be issues
(figure 6) and a management window will open as shown in Figure 7. If you are
not authorized a management window will open as shown in Figure 8. .

10
Step-by-Step Guide to Managing the Active Directory

Figure 5 Remotely Managing a Computer

Figure 6 Remote Computer not Found Warning

11
Step-by-Step Guide to Managing the Active Directory

Figure 7 Remote Computer not Found

Figure 8 Remote Computer Management not Authorized

12
 Step-by-Step Guide to Managing the Active Directory
Creating a Group
A group is a container for people who have something in common and that need to be
managed in a similar fashion. A few examples of the members that might be used to form
a group could include students in a specific class are the only ones authorized to utilize
the resources of a particular computer lab or the administrative staff. However, a group
could just as easily be those people with birthdays in August.
For example, to create a group called Comp100Users in the ECS OU:
1. Right-click the ECS OU, click New, and then click Group.
2. In the Name of New Group text box, type: Comp100Users
3. Select the appropriate Group type and Group scope and then click OK.
 The Group type indicates whether the group can be used to assign
permissions to other network resources, such as files and printers.
 The Group scope determines the visibility of the group and what type of
objects can be contained within the group.

Scope Visibility May contain

Domain Local Domain Users, Domain Local, Global, or Universal

Groups

Global Forest Users or Global groups

Universal Forest Users, Global, or Universal Groups

Adding a User to a Group

For example, to add users to the Comp 100 group created above:
1. Click ECS in the left pane.
2. Right-click the Comp100Users group in the right pane, and click Properties.
3. Click the Members Tab and click Add.
4. Enter their user identification (UID). If adding multiple users separate them with
a semi-colon (;). When finished adding names click on the Check Names button
as in Figure 9 below, this will check the entered names against the list of current
users. Any discrepancies will be identified and you will be asked to correct or
remove the UID from the list (Figure 10).
5. If you do not know the UID click on the Advanced button and follow instructions
in the section called Finding Specific Objects below.

13
Step-by-Step Guide to Managing the Active Directory

Figure 9 Add User to the Comp100Users Group

14
 Step-by-Step Guide to Managing the Active Directory

Figure 10 User not Found

Nested Groups
Nested groups allow you to provide college-wide or department-wide access to resources
with minimum maintenance. Placing every user account into a single college-wide
resource group is not an effective solution because it requires the creation and
maintenance of a large number of membership links. To use nested groups, administrators
create a series of account groups that represent the managerial divisions of the college or
unit.

15
 Step-by-Step Guide to Managing the Active Directory
For example, the top account group might be called "ECS Users," and would be attached
to a resource group that gives access to resources and shared directories. The next level
might contain account groups that represent major divisions of the college for example
CEAM, ME, CS, ECE, and MSEM. Each group at this level is a member of ECS Users,
and is attached to a resource group giving access to shares and other resources
appropriate to the division it represents.

Within a division, the next level of account groups might represent departments. Shared
resources for the department might include project schedules, meeting schedules,
vacation schedules, or any network information appropriate to the whole department. The
department account groups are all members of the division account group.

Within a department, the management structure can be organized into security groups to
any required level of specificity. These might be team account groups and might
represent leaf nodes in the organization’s hierarchical tree.

With this group hierarchy in place, you can give a new employee or student assistant
instant access to the resources of the team, department, the division, and the college as a
whole by placing the user in a team account group. This system supports the principle of
least access because the new employee or student assistant cannot view the resources of
adjacent teams, other departments, or other divisions.

Creating Nested Groups

To create a nested group

1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU (ECS in our example) and expand it by clicking the +.
Repeat this process until you get down to the level where you wish to create a
group(ex. OU=Groups,OU=CECS,OU=ECS,DE=CSUN,DC=EDU).
3. Create a new group by right-clicking Groups, pointing to New, and then clicking
Group. Type ECS Users, and then click OK.
4. Right-click the ECS Users Group, and then click Properties.
5. Click the Members tab, and then click Add.
6. In the Enter the objects name to select box, type CECS, and then click OK.
7. Click OK again. A nested group has been created.
8. Repeat steps 3 through 7 if additional nesting is required.

16
 Step-by-Step Guide to Managing the Active Directory
Finding Specific Objects
In a large directory deployment like ours, it may be unreasonable to browse a
comprehensive list of objects in search of a unique object (we have over 400,000 objects
in our Active Directory). Often, it is more efficient to find specific objects that meet a
certain criteria. In the following example, you will find all users who have a first name
starting with “Zeph” in the CSUN domain.

To find users with a first name starting with Zeph

1. Click to select csun.edu. Right-click csun.edu, and then click Find.

2. Enter the letters zeph and press the Find Now button.

Figure 11. Employing Simple Directory Search Techniques

The same procedure is also valid for last names or UID’s. Additionally changing
the Find dropdown will allow you to search for a number of other object types
Note:
including computers, printers, shared folders, OU’s using the same general
procedure.

17
 Step-by-Step Guide to Managing the Active Directory
3. If what you are searching for isn’t in any of the lists above you need to do an
advanced search. Click the Advanced tab. In the Field drop-down list, select
Group, and then click Name.
4. Type Comp for Value, and then click Add. Click Find Now. Your results should
be similar to those shown in Figure 12

Figure 12. Employing Advanced Directory Search Techniques

5. Select the one or more user objects you were looking for, double click to open the
objects.
6. Close the Find User, Contacts, and Groups window.

Filtering a List of Objects

Filtering the list of returned objects from the directory can allow you to manage the
directory more efficiently. The filtering option allows you to restrict the types of objects
returned to the snap-in. For example, you can choose to view only users and groups, or
you may want to create a more complex filter. If an OU has more than a specified number
of objects, the Filter function allows you to restrict the number of objects displayed in the
results pane. You can use the Filter function to configure this option.

18
 Step-by-Step Guide to Managing the Active Directory
To create a filter designed to display Groups only

1. In the Active Directory Users and Computers snap-in, click the + next to
csun.edu.
2. Select the appropriate OU (COBAE in our example) and expand it by clicking the
+. You should see a mixture of OU’s, computers and groups.
3. Click the View menu, and then click Filter Options.
4. Click the radio button for Show only the following types of objects, select
Groups, and then click OK.
5. Reselect the appropriate OU (COBAE in our example) and expand it by clicking
the +. Verify the filtering results. You should now only see a mixture of OU’s and
groups.
6. Remove the filter.

Writing a Group Policy Object

Writing a Group Policy Object (GPO) can be a daunting and formidable task. The
purpose of the GPO is to provide a mechanism to limit the behavior of a system or the
user currently using that system. To make the task easier, the GPO is divided into logical
sections. Below the root node, the namespace is divided into two parent nodes:
Computer Configuration and User Configuration. These are the parent folders that you
use to configure Group Policy settings. Computer-related Group Policy is applied when
the operating system boots and during the periodic refresh cycle, while User-related
Group Policy settings are applied when users log on to the computer and during the
periodic refresh cycle.

Three nodes exist under the Computer Configuration and User Configuration parent
nodes: Software Settings, Windows Settings, and Administrative Templates. The
Software Settings and Windows Settings nodes contain extension snap-ins that extends
either or both of the Computer Configuration or User Configuration nodes. Most of the
extension snap-ins extends both of these nodes, but frequently with different options.
The Administrative Templates node namespace contains all policy settings pertaining to
the registry.

Several documents are attached to help in deciding which settings are appropriate and
which are necessary.
 GPO Settings Explanations – This document goes through each setting and
gives a brief explanation of what it does
 Root (overridable and non-overrideable) GPO Settings – A listing of the
settings that have been implemented at the root. Some of these settings are
overridable and describe best practice, while others are not overrideable,
describing policy. In both cases the settings apply to all systems and users in
Active Directory.

Note: To increase the security of the Active Directory Forest, the only users granted
accesses to objects in the Active Directory from the root are members of the

19
 Step-by-Step Guide to Managing the Active Directory
Enterprise and Local Administrative group. The permission to login to a system
will need to be allocated to the user via permissions given from a GPO placed
within the local administrators OU. The so-called “account/account” will also be
blocked, unless granted access privilege.

Note: The no override setting on user settings is reserved for the root level GPO. It
should not be used by any local administrator on settings designed for user
behavior modification, as this setting will cause the User GPO settings to be
propagated throughout the entire forest.

Note: A GPO has been developed to automatically map a network drive to the U-drive
share for a user as they log on to the system. This GPO is disabled for all users.
If a local administrator wished to enable it, please forward a request to an
Enterprise Administrator identifying the OU and the name of the Group to
enable.

 Blank GPO Worksheet – a worksheet that can be used to document the

settings you use in the GPO(s) developed for your OU.

Create a Group Policy Object

Because of the unique structure employed at CSUN for the Active Directory forest, local
administrators must develop two separate GPO’s. The first GPO would be for computer
settings and the second GPO for user settings. As local administration of OU’s is desired,
the computer GPO will be placed on the OU containing the computers and the group(s)
by local administrator. The user GPO (if necessary) will have to be submitted to an
Enterprise Administrator to be placed in the OU=Auth or at the root of the tree.

Note: While the Computer GPO’s can be set as not overrideable (though this practice is
not recommended), the User GPO’s must be overrideable and must have the
Authenticated User security settings for both read and apply disabled and the
group the GPO applies to added with the read and apply GPO enabled.

1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.

Note: This may require you to click the + next to your OU to expand it.

3. Right click the selected location and click on Properties.

4. Select the Group Policy Tab
5. Click New. A new GPO is created.
6. Enter the name of the new GPO and press enter.

Note: There is currently no universal naming convention at CSUN for GPO’s, however,
as all GPO’s are stored in a single folder GPO names must start with the name of

20
 Step-by-Step Guide to Managing the Active Directory
the first level OU responsible for it. For example all GPO’s for ITR will start
with “ITR-“, also if a User GPO is being developed for use in conjunction with a
Computer GPO they both should have the same name with a “–u” or “–c”
appended to the end of the name.

7. Select the newly created GPO and click on Edit.

8. Using a previously completed Blank GPO Worksheet as a guide, fill in the
appropriate settings.
9. When you are finished, exit the GPO and check the security settings of the GPO
to insure that they are correct, then click OK.
The new GPO will be applied to all systems from that OU and below either the next
time a user logs into a system in that OU or at the next system wide update (within 90
minutes).

Note: You should note that the number of User GPO’s that are applied to a user affect
the logon processing time and the number of Computer GPO’s applied affects the
boot time. This time can be reduced by disabling the unused half of the GPO.
To do this, right-click the GPO, click Properties, click either Disable Computer
Configuration settings or Disable User Configuration settings, and then click
OK. These options are available on the GPO Properties page, on the General
tab.

Edit a Group Policy Object

Occasionally, a policy will need to be updated or changed. To do this:
1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.

Note: This may require you to click the + next to your OU to expand it.

Note: If a previously implemented User GPO needs editing, it must be done by an

Enterprise Administrator.

3. Right click the selected location and click on Properties.

4. Select the Group Policy Tab
5. Select the GPO that needs changing and click on Edit.
6. Expand the appropriate section(s).
7. Find the setting that needs updating and double click it.
8. Make the appropriate corrections and press enter.

Note: Changing a setting from either Enabled or Disabled to “Not Defined” will not
delete the local setting. Once defined, the best way to change a setting is to
select the opposite setting from the original (Enabled changes to Disabled and
vice versa).

21
 Step-by-Step Guide to Managing the Active Directory

9. When you are finished exit the GPO editor, changes will be saved automatically.
The new GPO will be applied to all systems from that OU and below either the
next time a user logs on to a system in that OU or at the next system wide update
(within 90 minutes).

Use an ADM file to create a GPO

It is possible to implement Registry-Based Group Policies. These policies allow the local
administrator to define and implement registry settings that further control the state of the
computers and users via a GPO. While explaining how to write an .adm file is beyond
the scope of this document, a good reference of how to write an .adm file can be found at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
regappgp.asp

Note: Two .adm files are provided for use or as examples. The first sets the local
computer up to point to the Software Update Service (SUS) server. This SUS
server can either be local to the OU or the one provided and maintained by the
ITR. The purpose of the SUS server is to reduce bandwidth usage and provide
local systems with an unassisted ability to receive and install critical updates
automatically at a given time and on a given day. The second .adm file provides
the local administrator the ability to limit the user’s ability to do specific things.
This .adm file is useful in a computer laboratory setting where limits need to be
in place.

Once an .adm file is created it needs to be integrated into a GPO (both for testing and for
implementation). The integration is accomplished as follows (assuming the GPO exists):

1. Click Start, point to Programs, point to Administrative Tools, and then click
Active Directory Users and Computers.
2. Select location of GPO.

Note: This may require you to click the + next to your OU to expand it.

3. Right click the selected location and click on Properties.

4. Select the Group Policy Tab
5. Select the GPO that needs changing and click on Edit.
6. Under either Computer Settings OR User Settings, right click on Administrative
Templates.
7. On the context menu that appears, click on Add/Remove Templates.
8. A new dialog box will appear that will allow you to add or remove .adm
templates. Click on Add.
9. Enter the name of the filename of the .adm file that you would like to add.
10. Click on Open.

22
 Step-by-Step Guide to Managing the Active Directory
11. If your .adm file was successfully loaded, you will be returned to the dialog that
you saw in Step 8. In this case click on Close. Your policy template has been
added successfully. Skip all the steps below.
12. If your .adm file was not successfully loaded, you will be presented with a dialog
displaying the errors that occurred during the loading of .adm.
13. At this point, make a note of the errors that were found. Click on OK.
14. You will be returned to the dialog that you saw during Step 8. Although your .adm
file was not successfully loaded, it will still appear in the list of .adm files loaded.
15. Select your .adm file, and click on Remove.
16. Click on Close.
17. You are now back to the Group Policy snap-in. At this point, edit your .adm file
and correct any problems. Then repeat this process again starting from Step 6, to
try to load your .adm template again.

Publishing a Shared Folder

Any shared network folder, including a Distributed File System (DFS) folder, can be
published in Active Directory. Creating a Shared folder object in the directory does not
automatically share the folder. This is a two-step process: you must first share the folder,
and then publish it in Active Directory. To share a folder called Engineering Specs and
share it from the ITR\Network Engineering & Operations OU:
1. Use Windows Explorer to create a new folder called Engineering Specs on one
of your disk volumes.
2. In Windows Explorer, right-click the folder name, and then click Properties.
Click Sharing, and then click Share this folder.
3. In the New Object–Shared Folder dialog box, type ES in the Share name box
and click OK. By default, Everyone has permissions to this shared folder. If you
want, you can change the default by clicking the Permissions button.
4. Populate the folder with files, such as documents, spreadsheets, or presentations.

To publish the shared folder in the directory

1. In the Active Directory Users and Computers snap-in, right-click the
ITR\Network Engineering & Operations OU, point to New, and click Shared
Folder.
2. In the Name box, type Engineering Specs.
3. In the Network Path name box, type the IP address of the system where the
folder resides, for example: \\130.166.250.255\ES or \\daxps.csun.edu\ES and
click OK.
4. The ITR\Network Engineering & Operations organizational unit appears as
shown in Figure 13 below:
5. Users can now see this volume while browsing in the directory.

23
 Step-by-Step Guide to Managing the Active Directory

Figure 13 Network Engineering & Operations OU contents showing a shared

folder

To browse the directory

1. Double-click My Network Places on the desktop.
2. Double-click Entire Network, and then click Entire contents of the network.
3. Double-click the Directory.
4. Double-click the domain name, csun, and then double-click the name of the OU
(e.g. ITR\Network Engineering & Operations. To view the files in the
volume, either right-click the Engineering Specs volume, and click Open, or
double-click Engineering Specs).

Publishing a Printer
This section describes the processes for publishing printers in a Windows 2000 Active
Directory-based network.

Windows 2000 Printers

24
 Step-by-Step Guide to Managing the Active Directory
You can publish a printer shared by a computer running Windows 2000 by using the
Sharing tab of the printer Properties dialog box. By default, Listed in the directory is
enabled. The directory is the Active Directory data store. (This means that Windows
2000 Server publishes the shared printer by default.) The print subsystem will
automatically propagate changes made to the printer attributes (location, description,
loaded paper, and so forth) to the directory.

For this section of this guide, you must have a printer available and know its IP
Note: address. If you do not have an IP printer, you can still run through these
procedures, substituting the correct port for Standard TCP/IP Port.

To add a new printer

1. Click Start, point to Settings, click Printers, and then double-click Add
Printer. The Add Printer Wizard appears. Click Next.
2. Click Local Printer, clear the Automatically detect and install my Plug
and Play printer checkbox, and click Next.
3. Click the Create a new port option, then scroll to Standard TCP/IP Port,
and click Next.
4. The Add Standard TCP/IP Printer Port Wizard appears. Click Next.
5. On the Add Port page, type the IP address of the printer in the Printer Name
or IP Address box, type the port name in the Port name box, and click Next.
Click Finish.
6. Select your printer's manufacturer and model in the Printers list box, and then
click Next.
7. In the Printer name text box, type the name of your printer.
8. On the Printer Sharing page, type a name for the shared printer. Choose a
name no more than eight characters long so computers running earlier
versions of the operating system display it correctly.
9. Type in the Location and Comment in those text boxes.
10. Print a test page. Click Finish.

After you create the printer, the printer is automatically published in Active Directory
and the Listed in the Directory check box is selected.

You might also need to find the server from which a printer is shared out before
adding it to the machine you are working on.

To locate a printer
1. Click Start, point to Settings, and then click on Printers.
2. Double-click the Add Printer icon.
3. In the Add Printer Wizard dialog box, click the Next button.
4. Select the Network printer button, and then click Next.
5. Select the Find a printer in the Directory button, and then click Next.

25
 Step-by-Step Guide to Managing the Active Directory
6. The Find Printers dialog box displays. If you know which domain your
printer resides in, click the Browse button and choose that domain to narrow
your search. Then, on the Printer tab, add the printer Name, Location, or
Model to those text boxes, and click the Find Now button.

If you do not know the name, location, or model of the printer, you can simply
Note: click the Find Now button, and all the printers in the domain you selected will be
listed in the list box.

Adding Non-Windows 2000 Printers

You can publish printers shared by operating systems other than Windows 2000 in the
directory. The simplest way to do this is to use the pubprn script. This script will
publish all the shared printers on a given server. It is located in the \winnt\system32
directory.

To publish a printer shared from a non-Windows 2000 server using the pubprn.vbs
script

1. Click Start, click Run, and type cmd in the text box. Click OK.
2. Type cd\ winnt/system32 and press Enter.
3. Type cscript pubprn.vbs printer server name where in this example
"LDAP://ou=ecs,dc=csun,dc=edu" and press Enter. This publishes the
printer to the specified OU.

This script copies only the following subset of the printer attributes:

Location
Model
Comment
UNCPath

You can add other attributes by using the Active Directory Users and Computers
snap-in.

Note: You can rerun pubprn and it will update rather than overwrite existing printers.

Alternatively, you can use the Active Directory Users and Computers snap-in to
publish printers on non-Windows 2000 servers.

To use the Active Directory Users and Computers snap-

in to publish printers
Right-click the Marketing organizational unit, click New, and click Printer.

26
 Step-by-Step Guide to Managing the Active Directory
The New Object-Printer dialog box pops up. In the text box, type the path to the
printer, such as \\server\share name. Click OK.

End users can realize the benefit of printers being published in the directory because
they can browse for printers, submit jobs to those printers, and install the printer
drivers directly from the server.

To browse and use printers in the directory

On the Desktop, click Start, click Search, and click For Printers.
In the Find Printers dialog, select the subdirectory in which you would like to search
for printers. Then type information into the Name, Location, or Model text
boxes. Click the Find Now button to get a list of published printers.

Renaming, Moving, and Deleting Objects

Every object in the directory can be renamed and deleted, and most objects can be
moved to different containers provided you have the appropriate authorizations
and permissions.
To move an object, right-click the object, and then click Move.
Click Browse. The Directory Browser will appear, enabling you to select the
destination container for the object that you are moving.

Figure 14 List of available OUs

Folder Redirection
The Folder Redirection extension to Group Policy is used to redirect such user-specific
folders as My Documents from the client to a server, facilitating administrative
management of user data.

27
 Step-by-Step Guide to Managing the Active Directory
Let the system create folders for each user
To ensure that folder redirection works as well as possible, create the root share only on
the server, and let the system create the folders for each user. For the best experience, set
the share permissions to Full Control for the security groups you are redirecting, and set
the NTFS permissions for Everyone to Full Control, this folder, subfolders and files. If
you must create folders for the users, ensure that you have the correct permissions set.
The tables below shows the default and minimum permissions required for folder
redirection.

Folder Redirection
User Account Minimum permissions needed
Defaults

Full Control, this folder, Full Control, this folder,

Creator/owner
subfolders and files subfolders and files

Local Full Control, this folder, Full Control, this folder,

Administrator subfolders and files subfolders and files

Full Control, this folder, List Folder/Read data, Create

subfolders and files Files/Write Data, Create
Everyone
Folders/Append Data - This
Folder only

Full Control, this folder, Full Control, this folder,

Local System
subfolders and files subfolders and files
NTFS Permissions required for root folder

Folder Redirection
User Account Minimum permissions needed
Defaults

Use security group that

Everyone Full Control matches the users who will
need to put data on share
Share level (SMB) Permissions required for root folder

Folder Redirection
User Account Minimum permissions needed
Defaults

%username% Full Control, owner of Full Control, owner of folder

folder

Local System Full Control Full Control

28
 Step-by-Step Guide to Managing the Active Directory
Traverse Folder, Read
Attributes, Read Extended
Everyone Everyone - no permissions
Attributes and Read
Permissions
NTFS Permissions required for each user's redirected folder

Use offline folder settings on the server share where the

user's info is stored
This is especially important for users with laptops. Redirected folders of any type should
be coupled with offline files. The recommended configuration for offline files to use is:

 MyDocs: Autocaching for Documents or Manual Caching for

documents (if you want users to have to "pin" files)

 AppData: Autocaching for Programs

 Desktop: Autocaching for Programs if the desktop is read-only

 StartMenu: Autocaching for Programs

Incorporate %username% into fully qualified universal naming convention (UNC)

paths. This allows the system to easily create folders for users based on their
username.
o For example, \\server\share\%username%\My Documents
Have My Pictures follow My Documents
o This is advisable unless there is a compelling reason not to, such as file
share scalability.

Policy removal considerations

Keep in mind the behavior your folder redirection policies will have upon policy
removal. The Folder Redirection section of the online help gives details.
 Accept defaults. In general, accept the default folder redirection settings.
 Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
 When a share is unavailable, offline folders considers the whole server to be
unavailable until the offline cache is manually synchronized. Roaming
profiles will not be synchronized with the server while offline folders
considers the server to be unavailable.
 If you are using offline folders in conjunction with folder redirection and
roaming user profiles, you should ensure that the folder redirection share and
the profiles share are located on different servers.

29
 Step-by-Step Guide to Managing the Active Directory
Offline Folders Tips and Tricks

 Do not put the server share in a Distributed File System (DFS) tree
 Using offline folders located in a Distributed File System (Dfs) tree is not
supported. If you do put shares configured for offline use in a Dfs tree,
unexpected behavior, such as Access Denied errors, may occur when moving
from an offline to online state.
 Not all types of files can be synchronized
 By default, .mdb and .pst files are not synchronized as they have other
mechanisms of synchronizing.
 Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
 See Folder Redirection Tips and Tricks for details.
 Leaving certain kinds of documents open can prevent entering standby mode.
 When using offline folders, the original versions of Microsoft Word 2000and
Excel 2000 prevent the computer from going into standby mode when a
document or spreadsheet is open. This is fixed in Office 2000 SR1.

User profiles overview

On computers running Windows 2000 and above operating systems, user profiles
automatically create and maintain the desktop

Advantages of using user profiles

User profiles provide several advantages:
 More than one user can use the same computer. When users log on to their
individual workstations, they receive the desktop settings as they existed when
they logged off.
 Customization of the desktop environment made by one user does not affect
another user's settings.
 User profiles can be stored on a server so that they can follow users to any
computer running a Microsoft Windows NT or later operating system on the
network. These are called roaming user profiles.
 As an administrative tool, user profiles provide these options:
 You can create a default user profile that is appropriate for the user's tasks.
 You can set up a mandatory user profile that does not save changes made by the
user to the desktop settings. Users can modify the desktop settings of the
computer while they are logged on, but none of these changes are saved when
they log off. The mandatory profile settings are downloaded to the local computer

30
 Step-by-Step Guide to Managing the Active Directory
each time the user logs on. For more information on mandatory profiles, see
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-us/sag_UP_Create_Mandatory_Profile.asp.
 You can specify the default user settings that will be included in all of the
individual user profiles.

User profile types

A user profile defines customized desktop environments, which include individual
display settings, network and printer connections, and other specified settings. You or
your system administrator can define your desktop environment.
Types of user profiles include:
 Local user profile--A local user profile is created the first time you log on to a
computer and is stored on a computer's local hard disk. Any changes made to your
local user profile are specific to the computer on which you made the changes.
 Roaming user profile--A roaming user profile is created by the system
administrator and is stored on a server. This profile is available every time you log
on to any computer on the network. Changes made to your roaming user profile
are updated on the server.

Note: CSUN Active Directory does not actively support the use of roaming profiles.
References to roaming profiles are for informational purposes only

 Mandatory user profile--A mandatory user profile is a roaming profile that can be
used to specify particular settings for individuals or an entire group of users. Only
system administrators can make changes to mandatory user profiles.
 Temporary user profile--A temporary profile is issued any time that an error
condition prevents the users profile from being loaded. Temporary profiles are
deleted at the end of each session. Changes made by the user to their desktop
settings and files are lost when the user logs off.

Contents of a user profile

Every user profile begins as a copy of Default User, which is a default user profile stored
on each computer running a Windows operating system. The NTuser.dat file within
Default User contains Windows configuration settings. Every user profile also uses the
common program groups contained in the All Users folder.

The user profile folders contain various items including the desktop and Start menu. The
following table lists and describes the contents of each user profile folder.

User profile
Contents
folder
Program-specific data (for example, a custom dictionary). Program
Application Data
vendors decide what data to store in this user profile folder.

31
 Step-by-Step Guide to Managing the Active Directory
Cookies User information and preferences.
Desktop Desktop items, including files, shortcuts, and folders.
Favorites Shortcuts to favorite locations on the Internet.
Application data, history, and temporary files. Application data roams
Local Settings
with the user by way of roaming user profiles.
My Documents User documents and subfolders.
My Recent
Shortcuts to the most recently used documents and accessed folders.
Documents
NetHood Shortcuts to My Network Places items.
PrintHood Shortcuts to printer folder items.
SendTo Shortcuts to document-handling utilities.
Start Menu Shortcuts to program items.
Templates User template items.

NTuser.dat file
The NTuser.dat file is the registry portion of the user profile. When a user logs off of the
computer, the system unloads the user-specific section of the registry (that is,
HKEY_CURRENT_USER) into NTuser.dat and updates it. For more information about
the registry, see http://www.microsoft.com/resources/documentation/WindowsServ/2003/
standard/proddocs/en-us/sag_ntregconcepts_mply.asp.

All Users folder

Although they are not copied to user profile folders, the settings in the All Users folder
are used to create the individual user profiles. The Windows operating system supports
two program group types:
 Common program groups are always available on a computer, no matter who is
logged on.
 Personal program groups are private to the user who creates them.
Common program groups are stored in the All Users folder under the Documents and
Settings folder. The All Users folder also contains per-computer settings for the Desktop
and the Start menu.

Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are
the only folders displayed in Windows Explorer by default. The NetHood,
PrintHood, Local Settings, Recent, and Templates folders are hidden and do not
appear in Windows Explorer. To view these folders and their contents in
Windows Explorer, on the Tools menu, point to Folder options, click the View
tab, and then click Show hidden files and folders.

Note: On computers running Windows operating systems with the NTFS file system,

32
 Step-by-Step Guide to Managing the Active Directory
only members of the Administrators group can create, delete, or modify the
common program groups.

To copy a user profile

 Open System in Control Panel.

 On the Advanced tab, under User Profiles, click Settings.
 Under Profiles stored on this computer, click the user profile you want to copy, and
then click Copy To.
 Do one or more of the following:
1. To specify where the new profile will be saved:
 In Copy profile to, type the location for the new profile, or click
Browse to select the path.
2. To specify who is permitted to use the copied profile
 In Permitted to use, click Change.
 In the Select User or Group dialog box, in Enter the object
name to select, add the user, group, or built-in security
principle or click Object Types to select an object type.
 To specify a domain to search, in the Select User or Group
dialog box, click Locations, and then select the domain.
 To further narrow your search, in the Select User or Group
dialog box, click Advanced.
 Click OK

Note: To perform this procedure, you must be a member of the Administrators group
on the local computer, or you must have been delegated the appropriate
authority. If the computer is joined to a domain, members of the Domain Admins
group might be able to perform this procedure. As a security best practice,
consider using Run as to perform this procedure.

Note: To open System, click Start, click Control Panel, click Performance and
Maintenance, and then click System.

Note: The My Documents, My Pictures, Favorites, Start Menu, and Desktop folders are
the only folders displayed in Windows Explorer by default. The NetHood,
PrintHood, Local Settings, Recent, and Templates folders are hidden and do not
appear in Windows Explorer. To view these folders and their contents in
Windows Explorer, on the Tools menu, point to Folder options, click the View
tab, and then click Show hidden files and folders.

Note: To open System from a command line as an administrator, type:

runas /user:computername\Administrator "rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl"

Note: You cannot copy or delete a user profile that belongs to the currently logged on
user or any user whose profile is in use.

33
 Step-by-Step Guide to Managing the Active Directory

Note: If you copy the profile to a new location, you must update the User Profile Path
entry for the user's account to refer to this new location as well.

Note: You cannot use Windows Explorer or any other file management utility to copy
user profiles.

To create a preconfigured user profile

1. Create a new user account that will be used as a template for the
preconfigured user profile. For more information, see Create a new user account in
the Step-by-Step Guide to Managing the Active Directory.
2. Log on as the new user, then customize the desktop and install
applications to configure this user's profile for the user profile template.
3. Log off, and then log on as the administrator.
4. Open System in Control Panel.
5. On the Advanced tab, under User Profiles, click Settings.
6. Under Profiles stored on this computer, select the user that you created
in step 1, and click Copy To.
 If you want a domain-wide default profile, enter the path to
NETLOGON\Default User on the domain controller. This creates the default
user profile for the domain.
 If you want to change the default profile for the local computer
only, copy the profile to the systemroot\Documents and Settings\Default User
folder.
7. In the Copy To dialog box, under Permitted to use, click Change.
8. In the Select User or Group dialog box, in Enter the object name to
select, type Everyone. This sets the profile as the default for everyone in this
domain.

34
 Step-by-Step Guide to Managing the Active Directory
If you are using a roaming profile and install a program on one computer
while simultaneously logged on to another computer, you might overwrite
crucial program-related registry settings stored in your roaming profile, thus
preventing you from running those programs.

For example: You are logged on to computer A and computer B. You install a
program on computer B and then log off computer B. Computer B stores the
shortcuts for the application, and the registry is saved to your roaming profile.
Computer A does not get updated profile information until you log off and log
on again.
Caution:
When you log off from computer A, however, the computer writes to the
registry stored in the roaming profile (which now includes the Microsoft
Windows Installer (MSI) registration for the program you installed on
computer B) with the stale registry information from computer A. The
program shortcuts remain in your roaming profile but the Windows Installer
data stored in the registry settings is lost, preventing you from running the
programs.

You can repair your roaming profile by repairing or reinstalling the program
on computer B or by installing the program on computer A.

To perform this procedure, you must be a member of the Administrators group

on the local computer, or you must have been delegated the appropriate
Note: authority. If the computer is joined to a domain, members of the Domain
Admins group might be able to perform this procedure. As a security best
practice, consider using Run as to perform this procedure.

To open System, click Start, click Control Panel, click Performance and
Note:
Maintenance, and then click System.

Note: To open System from a command line as an administrator, type:

runas /user:computername\Administrator "rundll32.exe shell32.dll,Control_RunDLL sysdm.cpl"

You cannot copy or delete a user profile that belongs to the currently logged
Note:
on user or any user whose profile is in use.

The first time a user logs on, a copy of the preconfigured user profile is
returned from the server instead of a copy of the default profile on the local
Note: computer. Thereafter, the user profile functions the same as a standard
roaming user profile does. Each time the user logs off, the user profile is
saved locally and is also copied to the server.

35
 Step-by-Step Guide to Managing the Active Directory
The Windows operating system does not support the use of encrypted files
Note:
within the roaming user profiles.

Roaming user profiles used with Terminal Services clients are not replicated
Note: to the server until the interactive user logs off and the interactive session is
closed.

User Profiles and Roaming User Profiles Tips and Tricks

Profiles are basic to the system and they were part of Windows NT 4.0. Generally,
they work and are configured in Windows 2000 as they did in Windows NT 4.0.
When the user object is enabled with roaming user profiles, it is considered part
of IntelliMirror feature set.
If your users roam between Windows NT 4.0 clients and Windows 2000 clients,
set the profile path during installation on Windows 2000
o For more info: Q224012 Using User Profiles with Both Windows 2000
and Windows NT 4.0
<http://support.microsoft.com/support/kb/articles/Q224/0/12.ASP>
Redirect the location of My Documents folder outside of the user's roaming
profile.
o The best way is with folder redirection. If you do not have Active
Directory enabled, you can do this with a logon script or instruct the user
to do so.
Do not use Encrypted File System (EFS) with roaming user profiles, offline
folders, or File Replication Service (FRS).
o EFS is not compatible with roaming user profiles, offline folders, or FRS.
Don't set disk quotas too low for users with roaming profiles
o If a user's disk quotas are set too low, roaming profile synchronization
may fail. Make sure enough disk space is allocated to allow the system to
create a temporary duplicate copy of a user's profile. The temporary
profile is created in the user's context as part of the synchronization
process, so it debits his or her quota.
Do not use offline folders on roaming profile shares.
o Make sure that you turn off offline files for shares where roaming user
profiles are stored. If you do not turn off offline folders for a user's
profile, you may experience synchronization problems as both offline
folders and roaming profiles try to synchronize the files in a user's profile.

Note: This does not affect using offline folders with redirected My Documents etc.

Don't store roaming profiles on the same server as redirected folders that are
enabled for offline use
o See Folder Redirection Tips and Tricks for details.
If roaming profiles are stored on a Windows NT 4.0 share, ensure that users are
given "Full Control" share permissions.

36
 Step-by-Step Guide to Managing the Active Directory
o If you are using Windows 2000 Professional in a Windows NT 4.0
domain, and the server hosting the profile share is a Windows NT 4.0
computer, make sure that users are given Full Control share permissions.
Not having the share permissions set to Full Control will result in profiles
not synchronizing. The event log will contain errors such as :

Event Type: Error

Event Source: Userenv

Event Category: None

Event ID: 1000

Windows cannot unload your registry file. If you have

Description: a roaming profile, your settings are not replicated.
Contact your administrator.

Detail - Access is denied.

This problem occurs because Change permission does not allow WRITE_DAC access,
so the system cannot copy ACL’s. Windows 2000 copies Roaming Profiles ACL’s,
whereas Windows NT 4.0 does not.

37
 Step-by-Step Guide to Managing the Active Directory

Attachments:

Creating a Local User Account

The following procedure creates the user account James Smith in the /ITR/Network
Engineering & Operations OU.

This procedure is provided for informational purposes only. Active Directory is

populated with a list authorized users (contained in OU = Auth/People). This list
is a mirror of the list maintained at the Enterprise level. This procedure would be
followed for a specialized user (e.g. if a local daemon requires a local logon,
Note:
though this practice is strongly discouraged). Only Enterprise Administrators
are authorized to create local accounts. If you need a local user account please
contact the Enterprise Administrator. Local user accounts not created by an
Enterprise Administrator will be deleted whenever found.

To create a new local user account

1. Right-click the /ITR/Network Engineering & Operations organizational unit,
point to New, and then click User, or click New User on the snap-in toolbar.
2. Type user information as in Figure 15 below:

Figure 15 New User dialog

Note: The Full name is automatically filled in after you enter the First and Last names.

38
Step-by-Step Guide to Managing the Active Directory

3. Click Next to proceed.

4. Type a password in both the Password and Confirm password boxes and click
Next.
5. Accept the confirmation in the next dialog box by clicking Finish.

You have now created an account for James Smith in the /ITR/Network Engineering
& Operations OU. To add additional information about this user:

6. Select /ITR/Network Engineering & Operations in the left pane, right-click

James Smith in the right pane, and then click Properties.
7. Add more information about the user in the Properties dialog box on the General
tab as shown in Figure 13 below, and click OK. You are provided with this
selection of optional entries. Click each tab you want to go to.

Figure 16 Additional User Information

39