Mandatory TS user profiles... Admin rights

[Guest Noncentz303]

The lowdown- I have been tasked with setting up our TS enviorment so that

when a user logs on they have limited access to the desktop and startbar.

From what I have read this can be accomplished with TS user profiles.

 

We have a SBS and 2 TS "TS1 and TS2"

 

I am new at this but this is what i have accomplished so far:

 

I created a new GPO and a new OU for TS1 and 2

-I created a shared folder on TS1 called TSProfiles

-I created a test user and added it to the new GPO

-I enabled loopback processing

-I enabled admin security group to roaming profiles

-Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

 

Then I went to my test user and specified the following profile path:

\\TS1\TSProfile\%username%

 

- This is where I run into my issues. When I log in a seperate folder is

created in my share for each user. I would like to use 1 standard profile for

all users when they log in so that when I make changes the effect all users.

 

- Also when I log in as admin I cannot view the contents of the folders

because access is denied -- even though I have it set to add user admin when

folder is created

 

- I also am wondering will I have to set up a static path for every user

depending on what TS they use and specify different paths and redirects for

both servers?

 

Any help would be appreciated

Antony

[Guest cendrars]

RE: Mandatory TS user profiles... Admin rights

 

Hello,

 

It has been a while, but give this a shot and let us know how you make out.

 

You can do this only in Windows 2003 Ad environment. The goal here is to

migrate your users to a mandatory profile without changing any of the AD user

properties you have in place now.

 

Configure a dummy profile path via the GPO.

Computer Config > Admin Templates > Windows Components > Terminal Services

Set the path for the TS roaming profile

 

Create a mandatory profile for the terminal server. Create a local account

(place the account into the local admin group). It is also preferrable that

you do this on a server with no domain affilliation or policies applied.

VMWare is good enough provided you are matching the OS and SP used in your

production environment. Log the account on and configure the environment the

way you like it. Log off.

 

Use the Computer Properties window to copy your user profile to a file share

you can get to. You want to be certain that you assign the Authenticated

Users group permission to access the profile. You will see input for this

security config within the Copy window of the My Computer > Properties >

Advanced > User Profiles > Copy Option window.

 

Refer to the following KB for creating the Mandatory Profile: MS KB323368

 

Refer to the following KB for configuring Folder Redirection within the

mandatory profile registry config. This is handy information. MS KB242557

 

This last KB references folder redirection within the ntuser.man registry

hive. Once you have created the mandatory profile, you must load the

ntuser.man file into regedit.exe HKEY_Users environment for cleaning. Be

sure to name the account something unique for searching qqqqqqq is good

enough. Once you have loaded the hive, search for any identity markers

associated with the account. Do not delete the key values, simply remove any

data associated with the account name.

 

While you are creating the account don't get into detailed configs, avoid

opening apps, this will better assure your mandatory profile is good to go.

 

Now...back to work.

 

Backup and empty the Default User profile. Be sure you can see hidden and

system files.

 

Copy the mandatory profile into the Default User folder environment. Be

sure you have hidden and system files available for viewing.

 

Rename the ntuser.man into ntuser.dat

 

Enable the following GPO setting

 

Computer Config > Admin Templates > System > User Profiles > Prevent Roaming

Profile Changes to propagate to the server

 

There you go, you have a mandatory profile environment, which utilizes the

ntuser.dat for certificates and that good roaming stuff, but you have no

folder propagation to the roaming environment.

 

This will not solve your Outlook config settings however. You will need to

lauch the app with a PRF file associated for user settings to be applied.

This will avoid setup for each launch. To get further into the mix on this

one, you should look into a Flex profiling environment. Do a search for Flex

Framework on google, and head in that direction.

 

Let us know how you make out!

 

 

"Noncentz303" wrote:

> The lowdown- I have been tasked with setting up our TS enviorment so that

> when a user logs on they have limited access to the desktop and startbar.

> From what I have read this can be accomplished with TS user profiles.

>

> We have a SBS and 2 TS "TS1 and TS2"

>

> I am new at this but this is what i have accomplished so far:

>

> I created a new GPO and a new OU for TS1 and 2

> -I created a shared folder on TS1 called TSProfiles

> -I created a test user and added it to the new GPO

> -I enabled loopback processing

> -I enabled admin security group to roaming profiles

> -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

>

> Then I went to my test user and specified the following profile path:

> \\TS1\TSProfile\%username%

>

> - This is where I run into my issues. When I log in a seperate folder is

> created in my share for each user. I would like to use 1 standard profile for

> all users when they log in so that when I make changes the effect all users.

>

> - Also when I log in as admin I cannot view the contents of the folders

> because access is denied -- even though I have it set to add user admin when

> folder is created

>

> - I also am wondering will I have to set up a static path for every user

> depending on what TS they use and specify different paths and redirects for

> both servers?

>

> Any help would be appreciated

> Antony

[Guest Noncentz303]

RE: Mandatory TS user profiles... Admin rights

 

Cendrars,

 

Thanks for the response... It was way helpful for what I have to do. This is

how it went down..

 

I created my seperate GPO and user for my test enviorment just fine. I was

able to create the share and copy over a good user profile. When I log on

with the user I am able to see the changes that have been made as well as

everything in the C:\Documents and Settings\All Users folder....

 

I guess now im looking to clean and sure up alot of loose ends. I would like

to be able to log in as an administrator and see my usual menu's start bars

and whatnot so I wont add myself to the GPO but I have to edit C:\Documents

and Settings\All Users for my changes to work correctly which also messes

with the admin account.

 

Is there a workaround for this purpose???

 

"cendrars" wrote:

> Hello,

>

> It has been a while, but give this a shot and let us know how you make out.

>

> You can do this only in Windows 2003 Ad environment. The goal here is to

> migrate your users to a mandatory profile without changing any of the AD user

> properties you have in place now.

>

> Configure a dummy profile path via the GPO.

> Computer Config > Admin Templates > Windows Components > Terminal Services

> Set the path for the TS roaming profile

>

> Create a mandatory profile for the terminal server. Create a local account

> (place the account into the local admin group). It is also preferrable that

> you do this on a server with no domain affilliation or policies applied.

> VMWare is good enough provided you are matching the OS and SP used in your

> production environment. Log the account on and configure the environment the

> way you like it. Log off.

>

> Use the Computer Properties window to copy your user profile to a file share

> you can get to. You want to be certain that you assign the Authenticated

> Users group permission to access the profile. You will see input for this

> security config within the Copy window of the My Computer > Properties >

> Advanced > User Profiles > Copy Option window.

>

> Refer to the following KB for creating the Mandatory Profile: MS KB323368

>

> Refer to the following KB for configuring Folder Redirection within the

> mandatory profile registry config. This is handy information. MS KB242557

>

> This last KB references folder redirection within the ntuser.man registry

> hive. Once you have created the mandatory profile, you must load the

> ntuser.man file into regedit.exe HKEY_Users environment for cleaning. Be

> sure to name the account something unique for searching qqqqqqq is good

> enough. Once you have loaded the hive, search for any identity markers

> associated with the account. Do not delete the key values, simply remove any

> data associated with the account name.

>

> While you are creating the account don't get into detailed configs, avoid

> opening apps, this will better assure your mandatory profile is good to go.

>

> Now...back to work.

>

> Backup and empty the Default User profile. Be sure you can see hidden and

> system files.

>

> Copy the mandatory profile into the Default User folder environment. Be

> sure you have hidden and system files available for viewing.

>

> Rename the ntuser.man into ntuser.dat

>

> Enable the following GPO setting

>

> Computer Config > Admin Templates > System > User Profiles > Prevent Roaming

> Profile Changes to propagate to the server

>

> There you go, you have a mandatory profile environment, which utilizes the

> ntuser.dat for certificates and that good roaming stuff, but you have no

> folder propagation to the roaming environment.

>

> This will not solve your Outlook config settings however. You will need to

> lauch the app with a PRF file associated for user settings to be applied.

> This will avoid setup for each launch. To get further into the mix on this

> one, you should look into a Flex profiling environment. Do a search for Flex

> Framework on google, and head in that direction.

>

> Let us know how you make out!

>

>

> "Noncentz303" wrote:

>

> > The lowdown- I have been tasked with setting up our TS enviorment so that

> > when a user logs on they have limited access to the desktop and startbar.

> > From what I have read this can be accomplished with TS user profiles.

> >

> > We have a SBS and 2 TS "TS1 and TS2"

> >

> > I am new at this but this is what i have accomplished so far:

> >

> > I created a new GPO and a new OU for TS1 and 2

> > -I created a shared folder on TS1 called TSProfiles

> > -I created a test user and added it to the new GPO

> > -I enabled loopback processing

> > -I enabled admin security group to roaming profiles

> > -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

> >

> > Then I went to my test user and specified the following profile path:

> > \\TS1\TSProfile\%username%

> >

> > - This is where I run into my issues. When I log in a seperate folder is

> > created in my share for each user. I would like to use 1 standard profile for

> > all users when they log in so that when I make changes the effect all users.

> >

> > - Also when I log in as admin I cannot view the contents of the folders

> > because access is denied -- even though I have it set to add user admin when

> > folder is created

> >

> > - I also am wondering will I have to set up a static path for every user

> > depending on what TS they use and specify different paths and redirects for

> > both servers?

> >

> > Any help would be appreciated

> > Antony

[Guest cendrars]

RE: Mandatory TS user profiles... Admin rights

 

Are you logging on with a local admin account (local to the server, no domain

affiliation)? Or, are you logging on with a domain account. The difficulty

here is that you have applied Machine GPO settings which are global to the

server.

 

What is it that you are working to accomplish with your local admin account?

 

"Noncentz303" wrote:

> The lowdown- I have been tasked with setting up our TS enviorment so that

> when a user logs on they have limited access to the desktop and startbar.

> From what I have read this can be accomplished with TS user profiles.

>

> We have a SBS and 2 TS "TS1 and TS2"

>

> I am new at this but this is what i have accomplished so far:

>

> I created a new GPO and a new OU for TS1 and 2

> -I created a shared folder on TS1 called TSProfiles

> -I created a test user and added it to the new GPO

> -I enabled loopback processing

> -I enabled admin security group to roaming profiles

> -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

>

> Then I went to my test user and specified the following profile path:

> \\TS1\TSProfile\%username%

>

> - This is where I run into my issues. When I log in a seperate folder is

> created in my share for each user. I would like to use 1 standard profile for

> all users when they log in so that when I make changes the effect all users.

>

> - Also when I log in as admin I cannot view the contents of the folders

> because access is denied -- even though I have it set to add user admin when

> folder is created

>

> - I also am wondering will I have to set up a static path for every user

> depending on what TS they use and specify different paths and redirects for

> both servers?

>

> Any help would be appreciated

> Antony

[Guest Noncentz303]

RE: Mandatory TS user profiles... Admin rights

 

Cendrars,

 

Ok so i figured out my problem with my mandatory profiles. I was just

mapping them incorrectly in AD users and computer. I have the profiles

working like magic now.

 

But I am having an issue getting my GPO to work on my TS. I created a new OU

and under that I created my new GPO "TS Lockdown". In this GPO I added my TS1

and TS2 along with a test group with users to make sure I wasnt going to down

everyone. I have enabled loopback and a couple other standard limitation to

my GPO but when I log in with one of my test users the TS is basically the

same ... well baring the changes I made in my mandatory profile.

 

I have been searching all morning for the answer to why my GPO is not

working on my TS but to no avail. I was using this tutorial

 

http://www.microsoft.com/technet/technetmag/issues/2007/05/TerminalServices/default.aspx

 

I totally understand what is going on but I just cant seem to get it to work

at all. Any though on what I might be doing wrong??

 

Noncentz

 

"cendrars" wrote:

> Are you logging on with a local admin account (local to the server, no domain

> affiliation)? Or, are you logging on with a domain account. The difficulty

> here is that you have applied Machine GPO settings which are global to the

> server.

>

> What is it that you are working to accomplish with your local admin account?

>

> "Noncentz303" wrote:

>

> > The lowdown- I have been tasked with setting up our TS enviorment so that

> > when a user logs on they have limited access to the desktop and startbar.

> > From what I have read this can be accomplished with TS user profiles.

> >

> > We have a SBS and 2 TS "TS1 and TS2"

> >

> > I am new at this but this is what i have accomplished so far:

> >

> > I created a new GPO and a new OU for TS1 and 2

> > -I created a shared folder on TS1 called TSProfiles

> > -I created a test user and added it to the new GPO

> > -I enabled loopback processing

> > -I enabled admin security group to roaming profiles

> > -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

> >

> > Then I went to my test user and specified the following profile path:

> > \\TS1\TSProfile\%username%

> >

> > - This is where I run into my issues. When I log in a seperate folder is

> > created in my share for each user. I would like to use 1 standard profile for

> > all users when they log in so that when I make changes the effect all users.

> >

> > - Also when I log in as admin I cannot view the contents of the folders

> > because access is denied -- even though I have it set to add user admin when

> > folder is created

> >

> > - I also am wondering will I have to set up a static path for every user

> > depending on what TS they use and specify different paths and redirects for

> > both servers?

> >

> > Any help would be appreciated

> > Antony

[Guest cendrars]

RE: Mandatory TS user profiles... Admin rights

 

Hello,

 

You have applied Loopback, and I expect you have applied it in Replace mode.

Please apply it in replace mode.

 

The affect this will have is that the OU container will only process "User

Configuration" settings applied via GPOs linked to the OU container. GPOs

which are "Enforced" above the OU tree will also be applied to the OU.

 

Machine configurations within the GPO environment are global. Machine

configurations are applied to "all" users, hence their global nature. So,

any change you make on the machine side of the GPO will apply to all users

including Admins.

 

User configurations are for users, obviously. It is possible to segragate

the delivery of these settings to users based on group affiliation. While

the default setting for a linked GPO is to apply DACL configuration to the

Authenticated Users Group for the "Read" and "Apply Group Policy" settings,

you can deny these user settings to your Admin group by setting the DACL for

the group to "Read" the GPO, but "Deny Group Policy" as the option that

counts. This allows the admin group to log onto the server unobstructed by

user policy settings meant to lock down the server.

 

Also, make the effort to configure the "details" of your GPOs appropriately.

Apply your user GPO settings to, and within the details tab for the GPO

"deny computer settings". Apply your computer settings to a GPO and "deny

user settings" within the details tab for the GPO. Keep user and machine

settings separated within the GPO configurations.

 

So, what settings are we talking about, computer or user? If they are user

you will find success with the items I mention above. If they are computer,

well....you are out of luck. Let us know how you make out. Thanks.

 

 

"Noncentz303" wrote:

> The lowdown- I have been tasked with setting up our TS enviorment so that

> when a user logs on they have limited access to the desktop and startbar.

> From what I have read this can be accomplished with TS user profiles.

>

> We have a SBS and 2 TS "TS1 and TS2"

>

> I am new at this but this is what i have accomplished so far:

>

> I created a new GPO and a new OU for TS1 and 2

> -I created a shared folder on TS1 called TSProfiles

> -I created a test user and added it to the new GPO

> -I enabled loopback processing

> -I enabled admin security group to roaming profiles

> -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

>

> Then I went to my test user and specified the following profile path:

> \\TS1\TSProfile\%username%

>

> - This is where I run into my issues. When I log in a seperate folder is

> created in my share for each user. I would like to use 1 standard profile for

> all users when they log in so that when I make changes the effect all users.

>

> - Also when I log in as admin I cannot view the contents of the folders

> because access is denied -- even though I have it set to add user admin when

> folder is created

>

> - I also am wondering will I have to set up a static path for every user

> depending on what TS they use and specify different paths and redirects for

> both servers?

>

> Any help would be appreciated

> Antony

[Guest Noncentz303]

RE: Mandatory TS user profiles... Admin rights

 

BIG HELP,

 

I am trying to make changes on the user level. I have a GPO setup for

computer and one setup for Users. the changes I am making are on the user

side of things. I did not know about DACL config so I will get looking into

that. Here is what I recieved from RSOP

 

Created On 10/25/2007 at 3:03:32 PM

 

 

 

RSOP data for MCCOYSALES\anolan on MCSVR03 : Logging Mode

----------------------------------------------------------

 

OS Type: Microsoft® Windows® Server 2003, Enterprise

Edition

OS Configuration: Member Server

OS Version: 5.2.3790

Terminal Server Mode: Application Server

Site Name: Default-First-Site-Name

Roaming Profile: \\mcsvr03\AdminMandatory

Local Profile: C:\Documents and Settings\anolan

Connected over a slow link?: No

 

 

COMPUTER SETTINGS

------------------

CN=MCSVR03,OU=Terminal Servers,DC=mccoysales,DC=local

Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM

Group Policy was applied from: mcsvr01.mccoysales.local

Group Policy slow link threshold: 500 kbps

Domain Name: mccoysales

Domain Type: Windows 2000

 

Applied Group Policy Objects

-----------------------------

Small Business Server Domain Password Policy

Small Business Server Client Computer

Small Business Server Remote Assistance Policy

Small Business Server Lockout Policy

Default Domain Policy

Local Group Policy

 

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Small Business Server Internet Connection Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PreSP2

 

Small Business Server - Windows Vista policy

Filtering: Denied (WMI Filter)

WMI Filter: Vista

 

EnlightenUsers

Filtering: Not Applied (Empty)

 

Small Business Server Windows Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PostSP2

 

The computer is a part of the following security groups

-------------------------------------------------------

BUILTIN\Administrators

Everyone

NT AUTHORITY\Authenticated Users

 

 

USER SETTINGS

--------------

CN=Antony Nolan,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=mccoysales,DC=local

Last time Group Policy was applied: 10/25/2007 at 2:28:35 PM

Group Policy was applied from: mcsvr01.mccoysales.local

Group Policy slow link threshold: 500 kbps

Domain Name: MCCOYSALES

Domain Type: Windows 2000

 

Applied Group Policy Objects

-----------------------------

Default Domain Policy

Local Group Policy

 

The following GPOs were not applied because they were filtered out

-------------------------------------------------------------------

Small Business Server Internet Connection Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PreSP2

 

Small Business Server Lockout Policy

Filtering: Disabled (GPO)

 

Small Business Server Remote Assistance Policy

Filtering: Disabled (GPO)

 

Small Business Server Client Computer

Filtering: Not Applied (Empty)

 

Small Business Server - Windows Vista policy

Filtering: Denied (WMI Filter)

WMI Filter: Vista

 

Small Business Server Domain Password Policy

Filtering: Not Applied (Empty)

 

EnlightenUsers

Filtering: Not Applied (Empty)

 

Small Business Server Windows Firewall

Filtering: Denied (WMI Filter)

WMI Filter: PostSP2

 

The user is a part of the following security groups

---------------------------------------------------

Domain Users

Everyone

Offer Remote Assistance Helpers

Remote Desktop Users

BUILTIN\Users

BUILTIN\Administrators

REMOTE INTERACTIVE LOGON

NT AUTHORITY\INTERACTIVE

NT AUTHORITY\Authenticated Users

This Organization

LOCAL

Domain Admins

SBS Mobile Users

Web Workplace Users

SBS Report Users

Prophet21_Users

Offer Remote Assistance Helpers

 

 

"cendrars" wrote:

> Hello,

>

> You have applied Loopback, and I expect you have applied it in Replace mode.

> Please apply it in replace mode.

>

> The affect this will have is that the OU container will only process "User

> Configuration" settings applied via GPOs linked to the OU container. GPOs

> which are "Enforced" above the OU tree will also be applied to the OU.

>

> Machine configurations within the GPO environment are global. Machine

> configurations are applied to "all" users, hence their global nature. So,

> any change you make on the machine side of the GPO will apply to all users

> including Admins.

>

> User configurations are for users, obviously. It is possible to segragate

> the delivery of these settings to users based on group affiliation. While

> the default setting for a linked GPO is to apply DACL configuration to the

> Authenticated Users Group for the "Read" and "Apply Group Policy" settings,

> you can deny these user settings to your Admin group by setting the DACL for

> the group to "Read" the GPO, but "Deny Group Policy" as the option that

> counts. This allows the admin group to log onto the server unobstructed by

> user policy settings meant to lock down the server.

>

> Also, make the effort to configure the "details" of your GPOs appropriately.

> Apply your user GPO settings to, and within the details tab for the GPO

> "deny computer settings". Apply your computer settings to a GPO and "deny

> user settings" within the details tab for the GPO. Keep user and machine

> settings separated within the GPO configurations.

>

> So, what settings are we talking about, computer or user? If they are user

> you will find success with the items I mention above. If they are computer,

> well....you are out of luck. Let us know how you make out. Thanks.

>

>

> "Noncentz303" wrote:

>

> > The lowdown- I have been tasked with setting up our TS enviorment so that

> > when a user logs on they have limited access to the desktop and startbar.

> > From what I have read this can be accomplished with TS user profiles.

> >

> > We have a SBS and 2 TS "TS1 and TS2"

> >

> > I am new at this but this is what i have accomplished so far:

> >

> > I created a new GPO and a new OU for TS1 and 2

> > -I created a shared folder on TS1 called TSProfiles

> > -I created a test user and added it to the new GPO

> > -I enabled loopback processing

> > -I enabled admin security group to roaming profiles

> > -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

> >

> > Then I went to my test user and specified the following profile path:

> > \\TS1\TSProfile\%username%

> >

> > - This is where I run into my issues. When I log in a seperate folder is

> > created in my share for each user. I would like to use 1 standard profile for

> > all users when they log in so that when I make changes the effect all users.

> >

> > - Also when I log in as admin I cannot view the contents of the folders

> > because access is denied -- even though I have it set to add user admin when

> > folder is created

> >

> > - I also am wondering will I have to set up a static path for every user

> > depending on what TS they use and specify different paths and redirects for

> > both servers?

> >

> > Any help would be appreciated

> > Antony

[Guest cendrars]

RE: Mandatory TS user profiles... Admin rights

 

You are on your way Grasshopper!

 

Let us know how you make out! Good luck!

 

"Noncentz303" wrote:

> The lowdown- I have been tasked with setting up our TS enviorment so that

> when a user logs on they have limited access to the desktop and startbar.

> From what I have read this can be accomplished with TS user profiles.

>

> We have a SBS and 2 TS "TS1 and TS2"

>

> I am new at this but this is what i have accomplished so far:

>

> I created a new GPO and a new OU for TS1 and 2

> -I created a shared folder on TS1 called TSProfiles

> -I created a test user and added it to the new GPO

> -I enabled loopback processing

> -I enabled admin security group to roaming profiles

> -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

>

> Then I went to my test user and specified the following profile path:

> \\TS1\TSProfile\%username%

>

> - This is where I run into my issues. When I log in a seperate folder is

> created in my share for each user. I would like to use 1 standard profile for

> all users when they log in so that when I make changes the effect all users.

>

> - Also when I log in as admin I cannot view the contents of the folders

> because access is denied -- even though I have it set to add user admin when

> folder is created

>

> - I also am wondering will I have to set up a static path for every user

> depending on what TS they use and specify different paths and redirects for

> both servers?

>

> Any help would be appreciated

> Antony

[Guest Noncentz303]

RE: Mandatory TS user profiles... Admin rights

 

Ahh the sweet smell of sorta success :)

 

I enabled the GPO and I definetly saw changes:

 

The configurations that I enabled for my TSLockdown GPO "Computer

Configuration" took effect immediately. ex. I enabled a program to run on

startup and it work no problem

 

Im assuming since it was a computer setting no matter who I log in as on

that TS it will enable the "computer Configuration" from my GPO... thats

fine, I will probably setup another GPO to hande admin users

 

But with "User Configuration" I dont see the changes that I set in my

Lockdown GPO. Such as hiding drives and getting rid of the shutdown icon.

This is making it hard for me to see if the group I setup is actually working

correctly.

 

Do some of these settings require a restart?

 

"cendrars" wrote:

> You are on your way Grasshopper!

>

> Let us know how you make out! Good luck!

>

> "Noncentz303" wrote:

>

> > The lowdown- I have been tasked with setting up our TS enviorment so that

> > when a user logs on they have limited access to the desktop and startbar.

> > From what I have read this can be accomplished with TS user profiles.

> >

> > We have a SBS and 2 TS "TS1 and TS2"

> >

> > I am new at this but this is what i have accomplished so far:

> >

> > I created a new GPO and a new OU for TS1 and 2

> > -I created a shared folder on TS1 called TSProfiles

> > -I created a test user and added it to the new GPO

> > -I enabled loopback processing

> > -I enabled admin security group to roaming profiles

> > -Set the path for TS roaming profiles :\\TS1\TSProfiles * appends username

> >

> > Then I went to my test user and specified the following profile path:

> > \\TS1\TSProfile\%username%

> >

> > - This is where I run into my issues. When I log in a seperate folder is

> > created in my share for each user. I would like to use 1 standard profile for

> > all users when they log in so that when I make changes the effect all users.

> >

> > - Also when I log in as admin I cannot view the contents of the folders

> > because access is denied -- even though I have it set to add user admin when

> > folder is created

> >

> > - I also am wondering will I have to set up a static path for every user

> > depending on what TS they use and specify different paths and redirects for

> > both servers?

> >

> > Any help would be appreciated

> > Antony