Locking Down Workstations

[keithv]

I've been put in charge of a network with a DC running Windows 2003 with Windows XP workstations. I'd like to have it set up that users will not be able to save any data to the workstations and only to their network folder. Any help will be greatly appreciated.

[Marvin Miller]

Hi Keith;

You enforce network-wide policies like that through Group Policy. I'm using Windows 2000 AdvSrvr so here's how I get there (2003 might be different/easier)

On the Domain Controller, fire up Active Directory Users and Computers and then right click your domain, choose properties and then Group Policy Tab and then edit the Default Domain Policy (or another existing one if that's what you're using on your network).

That will get you into the area you need to be in to implement domain-wide policies. Take a good look through there and you'll see that there are many, many pre-made policies that you can use/define :)

To get to your specific question - personally I don't know the answer as I've never needed/wanted to do this. However, it looks like you can hide the local drives which may force them to save the data to their network drive.

It sounds to me like what you want to do is folder redirection so that all data saved on the local machine actually goes to their network share. If that makes sense then check out this Profile and Folder Redirection In Windows Server 2003 article because I think it's pretty much going to cover exactly what you want to do.

Hopefully, between the two of those links, you'll be on the right path :top: Just be careful because you don't want to bork the network :lol:

[Google]

[keithv]

Thanks for the links :)

I need to enable roaming profiles in order for folder redirection to work?

[Marvin Miller]

I would do it for more reasons then that;

"Right now you might be wondering how something like roaming profiles can make your life easier. Well, there are several situations in which roaming profiles and folder redirections pay off big time.

For example, any decent administrator will instruct their users to save their data on a network drive so that the data gets backed up each night. Inevitably though, some users will save data to the local hard drive. If that hard drive happens to crash, then the user will lose all of their data and will be upset because you didn’t back it up. One of the techniques that I will show you will redirect the user’s My Documents folder to a network share.

Another example of how roaming profiles and folder redirections can make your life easier involves a situation in which the user gets a new PC. Normally, you would have to manually move all of the user’s documents and settings from the old PC to the new one. You would have to be careful not to leave anything behind to avoid upsetting the user and to accidentally exposing the user’s files to whoever inherits the user’s old PC. With roaming profiles though, each user’s files and settings follow them from PC to PC, so there is no need to move anything.

Another situation in which roaming profiles and folder redirections come in handy is when a user’s workstation crashes. Management can easily have the user whose computer crashed use someone else’s PC for the day and all of the user’s normal files and settings will be there. This frees up your time so that you can focus on resurrecting the dead computer.

I could go on and on with more examples of how roaming profiles and folder redirections can improve the quality of your life, but I think you probably get the idea. "

That's what I would do because the benefits are far more then just achieving your original goal. :top:

[keithv]

Is there a quick and painless way to do this for all users or is it going through one by one?

[Marvin Miller]

How many user accounts do you have?

[keithv]

I have ~75 users that will need redirection.

[Marvin Miller]

You know what I would do? I'd do pilot project first.

Move a few active accounts over and then see firsthand if you like the results. This will give you experience with it. It's my understanding that the initial log-on's / log-off's will take longer due to the data replication that occurs.

My point is, there's nothing better then firsthand experience. It might illuminate issues such as the disk speed in the server storing the profiles, disk capacity, network capacity or any other variables that you haven't foreseen.

That's how I would approach it. Pick a small group of accounts, a good cross-section of people who hardly use their systems to power users who load their system up with tons 'o crap ( :D ) and then you'd get a good idea as to how long it takes for their profiles to migrate etc.

You should find that this is the way to fly and that it has many extra benefits. In my mind, it's the way the network/accounts should have been set up from the outset but... it's way smarter for you to get firsthand experience with any change to the network before comitting to it on a permanent basis. Catch my drift?

With respect to 75 users - you can write a script to automate a lot of the process but that's a decision you'd have to make based on your script writing abilities. I have none, BTW :lol:

If it were me, I'd do a small pilot project, measure the results, and then, if it truly fit, I'd roll it out network-wide. In my mind manaully making 75 accounts is not a big thing (you could do 10 a day for a week and not get sick of it). That has the added benefit of being a phased roll out and that's something that's always smart to do. :top:

[keithv]

Thanks for the info. I'm playing with it now. I know I have to make each profile roaming but do I have to redirect each one as well?

[Marvin Miller]

Well, yes. The idea here is that the users profile is stored on a network share, typically in one central location such as the domain controller.

So, when a user logs on, the user's computer gets it's profile from the domain controller over the network. That's why it works from any computer. If a person in accounting logs on to a computer in sales they see their own user profile - the same as if they were sitting at their computer in accounting.

Here's something that may be of help to you;

How to Configure a User Account to Use a Roaming User Profile in a Windows-Based Domain

To configure user accounts in the domain, you can use any Windows NT Server 4.0, Windows 2000 Server, or Windows Server 2003-based computer in the domain or any Windows NT Workstation 4.0, Windows XP Professional, or Windows 2000 Professional-based computer that is running Windows NT Server Administration Tools in the domain. In addition, you must be logged on as either an administrator or as a user that is a member of the Administrators local group or the Account Operators local group in the domain.

To configure a user account to use a roaming user profile:

1. Click Start, point to Programs, point to Administrative Tools (Common), and then click User Manager for Domains or Active Directory Users and Computers for Windows Server 2000 or for Windows Server 2003.
2. Double-click the user account to which you want to assign a roaming profile, and then click Profile.
3. Type the complete path to the shared folder that contains the user's profile in the User Profile Path box, and then click OK.

Use the following format for the user profile path:
\\server_name\shared_folder_name\user_profile_folder_name

For example, if you want to store the user's roaming profile in a folder that has the same name as the user account in a shared folder that is named "Profiles" on a server that is named "Server1," type the following path:
\\Server1\Profiles\%username%

NOTE: Windows NT automatically replaces the %username% variable with the user account name when it creates and accesses the user profile. When you use this variable, you can type the same path for all users.
4. Click OK, and then quit User Manager for Domains or Active Directory Users and Computers.

The next time the user logs on, the user profile folder that you specified in step 3 is created. When the user logs off, the user's profile is copied to the new folder.