Thursday, February 9, 2012
Tuesday, February 7, 2012
Monday, February 6, 2012
How to (Enable or Disable) Remote Desktop via Group Policy Windows 2008
1- We can use Group Policy setting to (enable or disable) Remote Desktop
Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand Computer Configuration – Administrative Templates – Windows Components – Remote Desktop Services – Connections.
Allow users to connect remotely using Remote Desktop Services (enable or disable)
2- We can use Group Policy Preferences to (enable or disable) Remote Desktop
Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects
Expand Computer Configuration – Preferences – Windows Settings.
Right click Registry – New – Registry Item.
General Tab.
Action :Update
Hive :HKEY_LOCAL_MACHINE
Key path : SYSTEM\CurrentControlSet\Control\Terminal Server
Value name : fDenyTSConnections
Value type : REG_DWORD
Value date : 00000000 enable OR 00000001 disable
Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand Computer Configuration – Administrative Templates – Windows Components – Remote Desktop Services – Connections.
Allow users to connect remotely using Remote Desktop Services (enable or disable)
2- We can use Group Policy Preferences to (enable or disable) Remote Desktop
Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects
Expand Computer Configuration – Preferences – Windows Settings.
Right click Registry – New – Registry Item.
General Tab.
Action :Update
Hive :HKEY_LOCAL_MACHINE
Key path : SYSTEM\CurrentControlSet\Control\Terminal Server
Value name : fDenyTSConnections
Value type : REG_DWORD
Value date : 00000000 enable OR 00000001 disable
Tuesday, January 17, 2012
How to Configure Folder Redirection
o configure Folder Redirection:
To start the Group Policy snap-in from the Active Directory Users and Computers snap-in, click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
In the MMC console tree, right-click the domain or the OU for which to access Group Policy, click Properties, and click Group Policy.
To create a new Group Policy object (GPO), right-click the domain or OU you want to associate with the GPO, select Properties from the context menu, and then in the domain or OU containers Properties page, click the Group Policy tab.
Click New, and type the name to use for the GPO. For example, type Redirect MyDocuments GPO.
Click Edit to open the Group Policy snap-in and edit the new GPO.
In the Group Policy console, expand the User Configuration, Windows Settings, and Folder Redirection nodes. Icons for the personal folders that can be redirected will be displayed.
To redirect any of these folders, right-click the folder name, click Properties, and then select one of the following options from the Setting drop-down box:
Basic - Redirect everyone's folder to the same location. All folders affected by this Group Policy object will be stored on the same network share.
Advanced Specify locations for various user groups. Folders are redirected to different network shares based on security group membership. For example, folders belonging to users in the Accounting group can be redirected to the Finance server, while folders belonging to users in the Sales group are redirected to the Marketing server.
On the My Documents Properties page, in the Target folder location drop down box select Create a folder for each user under the root path. In the Root Path text box, type the name of the shared network folder to use, or click Browse to locate it. Note: Unlike Windows 2000, you do not need to type in the %username% variable. The folder redirection code will automatically create a My Documents folder for each user, inside a folder based on their user name. For example, type \\FolderServer\MyDocumentsFolders rather than \\FolderServer\MyDocumentsFolders\%username% as you would on Windows 2000.
In the folders Properties dialog box, select the Settings tab, configure the options you want to use, and then click Finish to complete the Folder Redirection. The available options for settings are:
Grant the user exclusive rights to My Documents. If selected, this sets the NTFS security descriptor for the %username% folder to Full Control for the user and local system only; this means that administrators and other users do not have access rights to the folder. This option is enabled by default. Note: Changing this option after the policy has been applied to some users will only effect new users receiving the policy.
Move the contents of My Documents to the new location. Moves any document the user has in the local My Documents folder to the server share. This option is enabled by default.
Leave the folder in the new location when policy is removed. Specifies that files remain in the new location when the Group Policy object no longer applies. This option is enabled by default.
Redirect the folder back to the local user profile location when policy is removed. If enabled, specifies that the folder be copied back to the local profile location if the Group Policy object no longer applies.
The My Documents Properties page provides two additional options for the My Pictures folder:
Make My Pictures a subfolder of My Documents. If selected, when the My Documents folder is redirected, My Pictures remains a subfolder of My Documents. By default, My Pictures automatically follows the My Documents folder.
Do not specify administrative policy for My Pictures. If selected, Group Policy does not control the location of My Pictures; this is determined by the user profile.
An important point to note is that you should not pre-create the directory defined by user name. Folder Redirection will handle setting the appropriate ACLs on the folder. If you choose to pre-create folders for each user, be sure to set the permissions correctly (see the permissions tables in the Best Practices section later in this paper).
For more information about using the Group Policy snap-in and the Folder Redirection extension, refer to the Windows Server 2003 online Help and the Step-by-Step Guide to User Data and User Settings at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/usrdata.mspx.
Changing settings after Folder Redirection policy has been applied.
It is possible to change the Folder Redirection options on the Settings tab after the policy has been applied, you should note that changing the value of the Grant the user exclusive rights to setting will only apply to new users effected by the policy. Any existing users that received the policy will use the original Grant the user exclusive rights to setting.
Folder Redirection and environment variables
The folder redirection client side extension is only able to process two environment variables: %username% and %userprofile%. Other environment variables such as %logonserver%, %homedrive% and %homepath% will not work with folder redirection.
Folder Redirection and mapped drives
Because folder redirection is processed early in the logon process, drives mapped via logon scripts (including the homedrive for folders other than My Documents), the folder redirection client side extension is not able to redirect to these locations. At the time that redirection takes place, the drives do not exist hence redirection fails.
Folder Redirection Troubleshooting.
Folder redirection processing contains 5 steps:
Determine which folders to redirect based on changes to policy at logon time.
Determine desired redirected location and verify access.
If folder does not exist: create folders, set ACLs.
If folder exists, check ACLs and ownership.
If desired, move contents.
Folder redirection failures only affect the folder redirection extension on a per folder basis. If you're pre-creating folders rather than letting the folder redirection extension automatically create the folder, typical errors include:
Redirecting to a folder that is incorrectly ACLd.
User is not the owner of the folder.
Destination does not exist.
Enabling logging
In addition to logging events in the Application Event log, Folder Redirection can provide a detailed log to aid troubleshooting. To create a detailed log file for folder redirection, use the following registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Set: FdeployDebugLevel = Reg_DWORD 0x0f
To start the Group Policy snap-in from the Active Directory Users and Computers snap-in, click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
In the MMC console tree, right-click the domain or the OU for which to access Group Policy, click Properties, and click Group Policy.
To create a new Group Policy object (GPO), right-click the domain or OU you want to associate with the GPO, select Properties from the context menu, and then in the domain or OU containers Properties page, click the Group Policy tab.
Click New, and type the name to use for the GPO. For example, type Redirect MyDocuments GPO.
Click Edit to open the Group Policy snap-in and edit the new GPO.
In the Group Policy console, expand the User Configuration, Windows Settings, and Folder Redirection nodes. Icons for the personal folders that can be redirected will be displayed.
To redirect any of these folders, right-click the folder name, click Properties, and then select one of the following options from the Setting drop-down box:
Basic - Redirect everyone's folder to the same location. All folders affected by this Group Policy object will be stored on the same network share.
Advanced Specify locations for various user groups. Folders are redirected to different network shares based on security group membership. For example, folders belonging to users in the Accounting group can be redirected to the Finance server, while folders belonging to users in the Sales group are redirected to the Marketing server.
On the My Documents Properties page, in the Target folder location drop down box select Create a folder for each user under the root path. In the Root Path text box, type the name of the shared network folder to use, or click Browse to locate it. Note: Unlike Windows 2000, you do not need to type in the %username% variable. The folder redirection code will automatically create a My Documents folder for each user, inside a folder based on their user name. For example, type \\FolderServer\MyDocumentsFolders rather than \\FolderServer\MyDocumentsFolders\%username% as you would on Windows 2000.
In the folders Properties dialog box, select the Settings tab, configure the options you want to use, and then click Finish to complete the Folder Redirection. The available options for settings are:
Grant the user exclusive rights to My Documents. If selected, this sets the NTFS security descriptor for the %username% folder to Full Control for the user and local system only; this means that administrators and other users do not have access rights to the folder. This option is enabled by default. Note: Changing this option after the policy has been applied to some users will only effect new users receiving the policy.
Move the contents of My Documents to the new location. Moves any document the user has in the local My Documents folder to the server share. This option is enabled by default.
Leave the folder in the new location when policy is removed. Specifies that files remain in the new location when the Group Policy object no longer applies. This option is enabled by default.
Redirect the folder back to the local user profile location when policy is removed. If enabled, specifies that the folder be copied back to the local profile location if the Group Policy object no longer applies.
The My Documents Properties page provides two additional options for the My Pictures folder:
Make My Pictures a subfolder of My Documents. If selected, when the My Documents folder is redirected, My Pictures remains a subfolder of My Documents. By default, My Pictures automatically follows the My Documents folder.
Do not specify administrative policy for My Pictures. If selected, Group Policy does not control the location of My Pictures; this is determined by the user profile.
An important point to note is that you should not pre-create the directory defined by user name. Folder Redirection will handle setting the appropriate ACLs on the folder. If you choose to pre-create folders for each user, be sure to set the permissions correctly (see the permissions tables in the Best Practices section later in this paper).
For more information about using the Group Policy snap-in and the Folder Redirection extension, refer to the Windows Server 2003 online Help and the Step-by-Step Guide to User Data and User Settings at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/usrdata.mspx.
Changing settings after Folder Redirection policy has been applied.
It is possible to change the Folder Redirection options on the Settings tab after the policy has been applied, you should note that changing the value of the Grant the user exclusive rights to
Folder Redirection and environment variables
The folder redirection client side extension is only able to process two environment variables: %username% and %userprofile%. Other environment variables such as %logonserver%, %homedrive% and %homepath% will not work with folder redirection.
Folder Redirection and mapped drives
Because folder redirection is processed early in the logon process, drives mapped via logon scripts (including the homedrive for folders other than My Documents), the folder redirection client side extension is not able to redirect to these locations. At the time that redirection takes place, the drives do not exist hence redirection fails.
Folder Redirection Troubleshooting.
Folder redirection processing contains 5 steps:
Determine which folders to redirect based on changes to policy at logon time.
Determine desired redirected location and verify access.
If folder does not exist: create folders, set ACLs.
If folder exists, check ACLs and ownership.
If desired, move contents.
Folder redirection failures only affect the folder redirection extension on a per folder basis. If you're pre-creating folders rather than letting the folder redirection extension automatically create the folder, typical errors include:
Redirecting to a folder that is incorrectly ACLd.
User is not the owner of the folder.
Destination does not exist.
Enabling logging
In addition to logging events in the Application Event log, Folder Redirection can provide a detailed log to aid troubleshooting. To create a detailed log file for folder redirection, use the following registry key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
Set: FdeployDebugLevel = Reg_DWORD 0x0f
Folder Redirection Overview
Advantages of Using Folder Redirection
Folder redirection provides a number of advantages. Some of the following benefits relate to redirecting any folder, but redirecting My Documents can be particularly advantageous.
Even if a user logs on to various computers on the network, the users documents are always available.
The system administrator can use Group Policy to set disk quotas, limiting the amount of space taken up by users' special folders.
Data specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk holding the operating system files. This protects the user's data if the operating system needs to be reinstalled.
Data stored on a shared network server can be backed up as part of routine system administration. This is safer and it requires no action on the part of the user.
Folder redirection provides a number of advantages. Some of the following benefits relate to redirecting any folder, but redirecting My Documents can be particularly advantageous.
Even if a user logs on to various computers on the network, the users documents are always available.
The system administrator can use Group Policy to set disk quotas, limiting the amount of space taken up by users' special folders.
Data specific to a user can be redirected to a different hard disk on the user's local computer from the hard disk holding the operating system files. This protects the user's data if the operating system needs to be reinstalled.
Data stored on a shared network server can be backed up as part of routine system administration. This is safer and it requires no action on the part of the user.
Subscribe to:
Posts (Atom)