Trying to create mandatory profiles....

I want to control the user desktops (not allow them to install stuff or hose
up the desktop for the next user) and I am trying to create mandatory
profiles on a Windows 2000 Server.

The Windows 2000 Server Administrator's Companion (Microsoft Press), on page
276, says to...

"1. Create a user account with a descriptive name.... This is just a blank
account that you'll use to create a template for the customized
configuration.

2. Log on using the template account and create the desktop settings you
want, including applications, shortcuts, apperance, network connections,
printers, and so forth.

3. Log off the template account. Windows 2000 creates a user profile on the
system root drive in the Documents And Settings folder. ....

4. Log on using an administrator account. Open Active Directory Users and
Computers, and find the account for which you want to assign the customized
roaming profile."

I'll stop here....because I can't get passed step #2.

When I log off the server as Administrator and try to log in as my template
user, I get a "Logon Message" that says "The local plicy of this system does
not permit you to logon interactively."

So I logged back in as Administrator, and added the user to the Local
Security Settings>User Rights Assignment>Log On Locally policy setting. I
also checked that Users group was checked there.

I tried logging in locally as Template again and got the same message.

What am I doing wrong?

jim

The easiest thing to start with is REMOVE all users from the local
administrators group. If they aren't members of this they can't install new
software.

Point the users profile to a network location that is within their work
area, such as within their home folder. This is done from within ADUC, that
way if they damage something it only impacts their desktop.

Make the "All Users" folder read only for everyone but the Local
Administrators

This will get you a good start. I created mandatory roaming user profiles
for an airline hangar system and it took a while to get it all locked down.
I ended up getting some help from somebody writing some code to block users
from doing something's that you just couldn't lock down back in W2K.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"jim" wrote in message

>I want to control the user desktops (not allow them to install stuff or
>hose up the desktop for the next user) and I am trying to create mandatory
>profiles on a Windows 2000 Server.
>
> The Windows 2000 Server Administrator's Companion (Microsoft Press), on
> page 276, says to...
>
> "1. Create a user account with a descriptive name.... This is just a
> blank account that you'll use to create a template for the customized
> configuration.
>
> 2. Log on using the template account and create the desktop settings you
> want, including applications, shortcuts, apperance, network connections,
> printers, and so forth.
>
> 3. Log off the template account. Windows 2000 creates a user profile on
> the system root drive in the Documents And Settings folder. ....
>
> 4. Log on using an administrator account. Open Active Directory Users and
> Computers, and find the account for which you want to assign the
> customized roaming profile."
>
> I'll stop here....because I can't get passed step #2.
>
> When I log off the server as Administrator and try to log in as my
> template user, I get a "Logon Message" that says "The local plicy of this
> system does not permit you to logon interactively."
>
> So I logged back in as Administrator, and added the user to the Local
> Security Settings>User Rights Assignment>Log On Locally policy setting. I
> also checked that Users group was checked there.
>
> I tried logging in locally as Template again and got the same message.
>
> What am I doing wrong?
>
> jim
>