Some questions for anyone who has had experience with Windows 2008 Server, Active Domain Directory, Roaming Profiles, and Group Policy Management....

[Vitalius]

Hi guys,

Don't feel you need to answer all the questions. Any question you can help me with or advice you can give would be much appreciated.

My workplace is planning on moving our employees over to Roaming Profiles at some point (where the profiles are on server and all computers on the network use the profiles there to log in, so it doesn't matter what PC you are on, you have all your things), and tbh we haven't dealt much with it.

My supervisor has been toying with it and researching how to set things up and get it working, and I've been doing the same recently. 

I discovered that by way of Group Policy Management, I can basically set it up to where, when someone logs on to a new computer, their profile will download and it will give them everything they need/want. Their files/folders (Documents, Music, Downloads, Desktop, etc) will all be living on the server. They will never connect to it by way of Wifi or remotely (WAN) and only by Ethernet (LAN), so speed isn't a concern. 

 

One thing to keep in mind: All of our users, except for 3, are on Windows 7 Professional. 2 of those 3 are on Windows XP (due to legacy reasons), and the last one is on an iMac (the boss loves his Macs). All of our Servers and Domain Controllers are Windows 2008 Server Enterprise edition. 

How do I link a Group Policy to a Group?

I have created a Group Policy to test with that has 1 of everything I want to be using (Applications, files, folders, Data Base connections, things like that), but I have yet to figure out how to link that to a Group. I have a Group with a Testing account in it. I'm just missing the part where I connect the two to where, when I log into the account, all of the Group Policy settings will take effect and the Profile will be a Roaming one.

What is the easiest way to turn a .exe into a .msi package?

I am very wary of online file format conversion (or package conversion in this case) tools. Too much uncertainty in regards to virus', malware, spyware, etc. I'll be using the .msi packages, once I make them, to update their programs and give new ones as time goes on. 

For those with experience with this, what advice do you have in how I should set this up?

 

Basically, at first I was making a single policy with everything anyone could ever use and was going to say "Ok, this user gets these things and the rest don't.", like that. Then I realized how much a pain in the butt that would be to manage as it took 5 clicks and some typing to give a single user one "thing" (file, folder, drive, application, wtv). Now do that 50 times with 50 items. LOL NO. 

So, then I realized it would be better to have one generic policy (that covered everything everyone would need), and multiple unique policies based on department. Then I could just attach 2 policies to a single group, if that is even possible. I assume it is. 

Not sure if there is a more efficient way. We have around 50 employees in total right now and are going to be expanding in the near future (20 more people roughly), so ease of use is paramount to give us time to do other things. 

Lastly, how can I set a user to be able to write to a file, but not delete it?

Basically, we are going to be using an intranet communication software. It will keep a history of their logs (for obvious reasons), which I want to allow to update, but not be deleted, and a copy to be kept on the server which will update either when the file gets bigger (i.e. more messages have been sent), or a new one is made (i.e. they empty it, which is against our policies, and it starts to fill up again). 

I can't come up with an elegant way to do that. *sigh*

I am very adamant about using Group Policy to make Roaming Profiles (as long as that is the best way). My current method of updating user's ... well ... anything is to set a task in their task scheduler to run a Batch File that lives on a network drive that everyone has access to. This is not optimal at all. It barely gets by.

Very very ghetto. Group Policy is basically the GUI version of what I want (mass updates for everyone, a centralized point where anyone can go to fix things, etc), which is epic. 

Thanks for any help you can offer,
Vitalius

[darkstar]

To answer your questions.

 

How do I link a GPO to a Group?

 

You can't link a GPO to a group directly. I recommend that you instead place the group within an OU and then link a GPO to the OU.

 

What is the easiest way to turn an executable into an installer package?

 

I've used Advanced Installer in the past.

 

For those with experience with this, what advice do you have in how I should set this up?

 

 You can always customize your global domain policy to match the needs that your general userbase need and then modify it as needed through inheritance but i think this is a question to which you'll have to come up with your own answer as it really depends on the company's needs. Do you have multiple groups which require specific permissions? Do some groups need access to resources that other's shouldn't have access to?

 

Lastly, how can I set a user to be able to write to a file, but not delete it?

 

NTFS Permissions. (Read & Write)

 

Hopefully, this answers the majority of your questions. I can always provide more details if needed.

[Vitalius]

To answer your questions.

 

1. How do I link a GPO to a Group?

 

You can't link a GPO to a group directly. I recommend that you instead place the group within an OU and then link a GPO to the OU.

 

2. What is the easiest way to turn an executable into an installer package?

 

I've used Advanced Installer in the past.

 

3. For those with experience with this, what advice do you have in how I should set this up?

 

 You can always customize your global domain policy to match the needs that your general userbase need and then modify it as needed through inheritance but i think this is a question to which you'll have to come up with your own answer as it really depends on the company's needs. Do you have multiple groups which require specific permissions? Do some groups need access to resources that other's shouldn't have access to?

 

4. Lastly, how can I set a user to be able to write to a file, but not delete it?

 

NTFS Permissions. (Read & Write)

 

Hopefully, this answers the majority of your questions. I can always provide more details if needed.

Thank you so much for the help

In order:

1.

That's what I figured I would need to do. I just wasn't sure that would work and propagate the various changes accordingly.

One thing though: I made an OU titled "Testing" for my testing needs. I deleted it. I tried to make a new one titled the same thing. It says it already exists. I can't see it, so I'm lost on what to do. I explored all OU's to make sure it wasn't moved to the inside of another one.

 

2. 

Perfect, thanks.

3. 

Yes to both of those questions. I need them to be separate and certain people shouldn't be able to access certain things. 

For example, our "money handling" department (Accounting) and HR are things no one but those people and IT should touch.

4.

That answers the primary question, but the specifics of it I'm still uncertain about. For example, the purpose of that is to keep them from deleting a log of their chat history. If they can write to it, they can just empty it (i.e. delete all lines in it) without actually deleting it. Is there a way to lock that down?

If not, is there a way to make a backup of it intelligently so that it will not overwrite the old log with the new one if the new one is smaller (implying they emptied it)? I would imagine, when the server sees the new log is smaller than the backup, it would make a new backup and stop messing with the old one to show something has changed. 

That's just my idea on it. There may be better ways.

[darkstar]

Thank you so much for the help

In order:

1.

That's what I figured I would need to do. I just wasn't sure that would work and propagate the various changes accordingly.

One thing though: I made an OU titled "Testing" for my testing needs. I deleted it. I tried to make a new one titled the same thing. It says it already exists. I can't see it, so I'm lost on what to do. I explored all OU's to make sure it wasn't moved to the inside of another one.

 

2. 

Perfect, thanks.

3. 

Yes to both of those questions. I need them to be separate and certain people shouldn't be able to access certain things. 

For example, our "money handling" department (Accounting) and HR are things no one but those people and IT should touch.

4.

That answers the primary question, but the specifics of it I'm still uncertain about. For example, the purpose of that is to keep them from deleting a log of their chat history. If they can write to it, they can just empty it (i.e. delete all lines in it) without actually deleting it. Is there a way to lock that down?

If not, is there a way to make a backup of it intelligently so that it will not overwrite the old log with the new one if the new one is smaller (implying they emptied it)? I would imagine, when the server sees the new log is smaller than the backup, it would make a new backup and stop messing with the old one to show something has changed. 

That's just my idea on it. There may be better ways.

1. When you delete a GPO, that GPO doesn't get completely removed. (There's an intermediate stage similar to what the Recycle Bin is to files.) You should be able to permanently remove the GPO by using the Group Policy Management snap-in and then navigating to the "Group Policy Objects" expandable menu in the left-hand navigation column.

 

2.

 

3. In this case, I suggest you simply create a Generic policy that applies to all groups that you can then fine tune for specific groups.

 

4. You could always make sure the application is run under the system account (esentially turning it into a service). This workaround though depends wether the application allows users to clear chat log(s) within the application of if they have to navigate to a specific directory to manually delete the log files.

 

You could also configure Shadow Copy to work in this scenario.

[Vitalius]

1. When you delete a GPO, that GPO doesn't get completely removed. (There's an intermediate stage similar to what the Recycle Bin is to files.) You should be able to permanently remove the GPO by using the Group Policy Management snap-in and then navigating to the "Group Policy Objects" expandable menu in the left-hand navigation column.

 

2.

 

3. In this case, I suggest you simply create a Generic policy that applies to all groups that you can then fine tune for specific groups.

 

4. You could always make sure the application is run under the system account (esentially turning it into a service). This workaround though depends wether the application allows users to clear chat log(s) within the application of if they have to navigate to a specific directory to manually delete the log files.

 

You could also configure Shadow Copy to work in this scenario.

1. Not GPO's. Organizational Units. I made an OU named Testing, right clicked it, deleted it, then tried to remake it later, but I get the error that there is already one named that. I can't find it in that left hand pane though. I expanded everything. 

I get the difference between linking a Policy to an OU and that deleting the link does not mean deleting the Policy.

2. (Old 3) Sounds good.

I was thinking I would make a Generic policy that gives everyone what everyone needs, and make unique policies by department and both could apply. Not sure how that would work. Or if it even could.

3. (Old 4) Hmm, I've never considered doing that. I might be able to do that. I'll figure it out. Thanks. 

Shadow Copy? I've vaguely heard of it but never used it. Where might I find that?

[darkstar]

1. Not GPO's. Organizational Units. I made an OU named Testing, right clicked it, deleted it, then tried to remake it later, but I get the error that there is already one named that. I can't find it in that left hand pane though. I expanded everything. 

I get the difference between linking a Policy to an OU and that deleting the link does not mean deleting the Policy.

2. (Old 3) Sounds good.

I was thinking I would make a Generic policy that gives everyone what everyone needs, and make unique policies by department and both could apply. Not sure how that would work. Or if it even could.

3. (Old 4) Hmm, I've never considered doing that. I might be able to do that. I'll figure it out. Thanks. 

Shadow Copy? I've vaguely heard of it but never used it. Where might I find that?

1. Sorry, I read that one a bit too fast. The concept however is similar. Check this link to see how to delete objects from AD.

2. That should work.

3. Shawdowcopy is explained here.

[Vitalius]

1. Sorry, I read that one a bit too fast. The concept however is similar. Check this link to see how to delete objects from AD.

2. That should work.

3. Shawdowcopy is explained here.

Thanks a lot bro. This will help a ton.

Now I'm just trying to actually get Roaming Profiles to work. When I log into the Domain as a user with their profile folder directed to where we plan to keep them, it takes a few minutes before explorer.exe starts up . I assume it's looking for the profile and just not finding it while it is applying the Group Policy.

Interestingly, the folder mounts worked (i.e. \\server\folder mounted to A: or wtv), but not all of them did. Is it acceptable to use variables such as %username% when adding a drive to Drive Maps under Windows Settings under User Configuration? The map that used that didn't work, so I was curious about it.

However, other things, like Data Sources (for ODBC connections), didn't work either. 

One thing I found wrong was that under User Configurations -> Preferences -> Windows Settings -> Files, I set it to copy a file from one place to another. 

The source is directly to said file. The destination is C:\Databases\. However, it did not put that on the computer I logged into. It put it on the C:\ of the Domain Controller. 

That confused me. 

[IdeaStormer]

2. Install 7-zip, then right click the EXE and expand it. Works for most modern installers, I have used it with QuickTime, iTunes, Acrobat, and forget which other package. Or use Linux to expand it.

3. Simple one group policy is best, keep it simple as you can have it blow up on you as you have listed.

4. If you have Read-Write, that means you can delete as well, because I if I can remove the contents of the file a 0 byte file is basically deleted as I can also rename it to what ever I want, so you lose the file.

 

Lastly, I would dis-advise roaming desktops, do a search for Roaming Desktop broken, and see what the world faces with them before going full bore into it.

[Vitalius]

2. Install 7-zip, then right click the EXE and expand it. Works for most modern installers, I have used it with QuickTime, iTunes, Acrobat, and forget which other package. Or use Linux to expand it.

3. Simple one group policy is best, keep it simple as you can have it blow up on you as you have listed.

4. If you have Read-Write, that means you can delete as well, because I if I can remove the contents of the file a 0 byte file is basically deleted as I can also rename it to what ever I want, so you lose the file.

 

Lastly, I would dis-advise roaming desktops, do a search for Roaming Desktop broken, and see what the world faces with them before going full bore into it.

2. Hmm, cool. Thanks.

3. I'm going to make most of the things we use be applied by a general policy with only department specific things added to unique policies (we have 7 departments).

I would stick with a single policy if it weren't such a pain in the butt to input a single person into the system.

4. Shadow Copy fixes that. Differential backup is the best. 

Hmm, that makes a good point. Essentially, we want Roaming Profiles because that effectively means that all profiles are backed up on both the computers and on the server. In other words, it's a less intensive way of having complete backups of everyone's systems, files, and the like. 

The power isn't going to go out, so corruption isn't a problem from that. (UPS's galore)

There are multiple servers that are shadow copying the main one, so if that one dies, we are safe. 

If, somehow, the profile got corrupted anyway, we have differential backups going on through shadow copy, so we can just jump back to an older, non-corrupt backup at any time. 

We aren't worried about legacy stuff because all of our servers are Windows 2008 and almost everyone is on Windows 7. They are currently operating as individual users, so the XP people can stay as they are until they move to 7. 

I can't think of any other potential hazard to having Roaming Profiles aside from the slightly longer wait time for logging in.

That brings up another question I have though. What is the easiest way to transition to Roaming Profiles from a normal setup, where the profiles live on each user's machine?

If there were a less intensive way to control everything, hand out updates, and backup everything, aside from Group Policy and Roaming Profiles, I'd love to hear it. 

[IdeaStormer]

2. Hmm, cool. Thanks.

3. I'm going to make most of the things we use be applied by a general policy with only department specific things added to unique policies (we have 7 departments).

I would stick with a single policy if it weren't such a pain in the butt to input a single person into the system.

4. Shadow Copy fixes that. Differential backup is the best. 

Hmm, that makes a good point. Essentially, we want Roaming Profiles because that effectively means that all profiles are backed up on both the computers and on the server. In other words, it's a less intensive way of having complete backups of everyone's systems, files, and the like. 

The power isn't going to go out, so corruption isn't a problem from that. (UPS's galore)

There are multiple servers that are shadow copying the main one, so if that one dies, we are safe. 

If, somehow, the profile got corrupted anyway, we have differential backups going on through shadow copy, so we can just jump back to an older, non-corrupt backup at any time. 

We aren't worried about legacy stuff because all of our servers are Windows 2008 and almost everyone is on Windows 7. They are currently operating as individual users, so the XP people can stay as they are until they move to 7. 

I can't think of any other potential hazard to having Roaming Profiles aside from the slightly longer wait time for logging in.

That brings up another question I have though. What is the easiest way to transition to Roaming Profiles from a normal setup, where the profiles live on each user's machine?

If there were a less intensive way to control everything, hand out updates, and backup everything, aside from Group Policy and Roaming Profiles, I'd love to hear it. 

 

Your new avatar threw me off, I was thinking Vitalius is also doing some Group Policy stuff wonder if he will chime in

 

Back to 4. we (at work) instead rely on users backing up or saving to the fileserver (aka CIFS share) so we don't worry about profiles as it allows us to only backup the server and not ever freaking desktop (added cost to backup N clients as opposed to one server, saves bue-kue bucks), most work out of the share for all work files. We treat AppData as disposable files as we also provide users with a sync (SyncToy) method to backup the profile nitty gritty as they log off or per user using it (running the sync), this way they can decide if they want their browser history backed up (a double edged sword most don't do which again saves money in backup tapes, who in their right mind would want it saved?). If a computer dies they sit at a new one or new install and they're back in business.

 

We tried roaming profiles but no one liked the delays, so we punted it and most preferred the save to server at request or their discretion. You gotta look at the big picture, not only convenience of the user but cost to backup clients vs server (note singular there) then legalities.

[Vitalius]

Your new avatar threw me off, I was thinking Vitalius is also doing some Group Policy stuff wonder if he will chime in

 

Back to 4. we (at work) instead rely on users backing up or saving to the fileserver (aka CIFS share) so we don't worry about profiles as it allows us to only backup the server and not ever freaking desktop (added cost to backup N clients as opposed to one server, saves bue-kue bucks), most work out of the share for all work files. We treat AppData as disposable files as we also provide users with a sync (SyncToy) method to backup the profile nitty gritty as they log off or per user using it (running the sync), this way they can decide if they want their browser history backed up (a double edged sword most don't do which again saves money in backup tapes, who in their right mind would want it saved?). If a computer dies they sit at a new one or new install and they're back in business.

 

We tried roaming profiles but no one liked the delays, so we punted it and most preferred the save to server at request or their discretion. You gotta look at the big picture, not only convenience of the user but cost to backup clients vs server (note singular there) then legalities.

I have a new avatar? LOL I've had this one for quite a while. When was the last time you were on?

It's a little late to care about saving money via backups. We have multiple servers, and everything is handled by the smallest while the next one is large enough to take it's place and back it up at the same time (i.e. double the size) and the next one can do the same for that one (i.e. double the second one's size). 

Capacity is cheap and all we deal in are emails and excel documents. So storage use is minimal. It's just a matter of actually backing them all up. 

Note that all that hardware existed before I joined. They've been future proof (for their business) for like... years (Decades?). 

The problem is that we have to back everything up. Everything they work on is important and cannot be lost or it could mean fines in the $100,000's later on (the government is serious about Insurance, which is what we deal with). 

We have old hard drives from 2006 simply because it has valuable information on it. We could boot it up and put it on the server, but we have many of them (pain in the butt). 

Basically we are working to more efficiently set up backups and things related to it. We already own the hardware to make it work fluidly. We just need to make it work for us.

[IdeaStormer]

I have a new avatar? LOL I've had this one for quite a while. When was the last time you were on?

 

Looked new/different to me :huh:

 

So look like you're headed down the Roaming Desktop road, would be interested in hearing how it ends up.

[Vitalius]

Looked new/different to me :huh:

 

So look like you're headed down the Roaming Desktop road, would be interested in hearing how it ends up.

Yeah, pretty much. I'll let you know. 

Our users usually have enough things to do that they can come, turn their computers on, get a cup of coffee, come back and it will be on by then. 

I just need to figure out how to make Desktops and Themes (and everything else you can customize within reason) follow a profile. I think I've gotten the folder redirection down (by way of Group Policy), but I still need to continue my testing.

Ultimately, I want to basically be able to set it so that, when they get on any machine, any programs they need come with them. Excel, Thunderbird, Databases (which use Microsoft Access), and ODBC connections. 

The ODBC connections aren't being input through Group Policy (unless I just can't see them in the ODBC connections window). The drives follow, and databases are following since they rely on file and shortcut transfers only. 

But I'm kinda lost on Applications and ODBC connections. Though, I think I just figured out one problem I need to fix. My test computer is set up to work in a Workgroup and is not set up to be a part of our Domain. I should probably switch that. lol