Controlling Logon Environment SBS Style on Standard Server
by Michael Pope, Leader SMBTN, Raleigh Chapter

HandyAndyNote: The following was actually a reply to a fellow SMBTN Member on the SMBTN Member Forum, I asked Michael for permission to reprint it because I thought it was not only a great how to piece, but also a wonderful example of community spirit and helping others without regard to them being competition. It is this kind of interaction between members that has helped SMBTN grow from a few small groups in Southern California to the International Success Story it has become today!

If you know SBS, then you can use a lot of what it creates for you on an SBS network as a template for doing the same thing on a Windows network that is non-SBS.

 I would set login scripts that map drives and do basic things like that by adding the name of the script to the "Logon script" field on the Profile tab of the user's Properties window. You don't have to provide a full path if the login script is in the NETLOGON share - just enter the script's filename. I typically set a company-wide login script here. However, at the end of the login script, I have a line that checks for the existence of any other scripts in the NETLOGON share that have the user's user name in the filename. If they exist, they are called and ran as well. This allows me to set user-wide settings in the first (main) login script and I can then customize each user's environment easily using secondary login scripts.

 If you want other scripts to run when the user logs in, then I would add those scripts to the NETLOGON share as well and point to them within a GPO. The place to do so is User Configuration\Windows Settings\Scripts\Logon. Here, you need to use the full UNC path (\\<servername>\NETLOGON\<scriptname>. For example, I have a simple script that runs whenever someone logs on to a computer and another script that runs whenever they log off a computer. They record information such as date, time, user ID, & computer name to a text file. These are both set to run here (obviously, the logoff script is set under User Configuration\Windows Settings\Scripts\Logoff).

 As you have SBS servers to look at, I would suggest you use the Small Business Server Folder Redirection GPO as a guide of how to both automatically create the user's folder on the server and redirect their My Documents to that folder. To see the settings of this particular GPO, you need to open the Group Policy Management Console (GPMC). To do so, on the SBS server you can either click

 - Start > Administrative Tools > Group Policy Management

 - Start > Control Panel > Administrative Tools > Group Policy Management

 - Start > All Programs > Administrative Tools > Group Policy Management

 Once you have the console open, you can open Group Policy Management > <forest name> > Domains > <domain name> Group Policy Objects > Small Business Server Folder Redirection. Note that this GPO will not exist unless you have configured redirection of My Documents using the wizard accessed from within the Server Management console.

 Once you've selected the GPO, you can click on the Settings tab to see how the GPO is configured. You can even backup the GPO by right-clicking on the name of the GPO in the left-hand navigation pane and selecting Back up. You would then take that backup file to your other server and create an empty GPO, right click on the name and select Import Settings to import that GPO into your new server's Active Directory. Note that this type of GPO has UNC names and therefore, you can use a Migration Table in order to modify those UNC paths for the new environment. You will only be able to backup and import settings of the GPOs if you act on the actual GPO's under the Group Policy Objects container. You can no do this when you right-click the GPO links found elsewhere in the navigation pane.

 In addition to the typical settings that SBS creates for that GPO, I also select to encrypt the Offline Files cache, disable slow link detection, allow processing across a slow network connection, enforced & process even if the GPO has not changed. This is because I have seen occasions where the user has lost the redirection when accessing the server over either a slow wireless or VPN connection. In these cases, their My Documents folder reverted to a folder under their local user profile which was empty. This obviously freaks out users because they open their My Documents folder and nothing's there! Since implementing these additional settings, I've never had this reoccur even when users access the server from slow dial-up connections from overseas while on travel.

 When you set the GPO, I recommend that you use the following settings to automatically create the user's folder on the server. Under User Configuration\Folder Redirection\My Documents, select the Basic setting (redirect everyone's folder to the same location) and use the following path: \\<servername>\<sharename>\%username%\My Documents. Replace <servername>\<sharename> with the appropriate names but leave %username% as-is because that is an environment variable that will create the user's folder if it doesn't exist. Also, check out the permission settings (NTFS & share) on the Users share on the SBS server. Set those same settings on the share that you create to hold the My Documents folder on the WIndows server. Note that this share should only be used to hold redirected folders (and possibly PST backups if you use the PST backup tool).

 This folder redirection wizard should probably be set at the domain level. Therefore, you will want to link the GPO to the domain object. You can do this simply by selecting the GPO under the Group Policy Objects container and dragging and releasing it on the domain container. The domain should now be listed on the Scope tab of the GPO in the links section.

 Lastly, I no longer recommend either setting the home folder on the Profile tab of the user's Properties window or setting a roaming profile on that same tab. Home folders don't work well with redirected folders when they are pointing to the same folder on the server. And, if you have redirected their My Documents folder, there's no longer any need for a home folder, especially for a new domain. And, I just don't see a need any longer for a roaming profile except perhaps in very specific circumstances. They create too many headaches and using redirected folders in combination with Offline Files and Folders just seems to be much more stable. Also, logins will be much faster when not using roaming profiles.

 Hope this helps you. Just remember that you can use a lot of what SBS uses as a guide into how to setup a basic domain-based network. Sure, there are places where you can deviate from what it does but it's a good start, especially if you're new to doing all of this manually.

 I would suggest you purchase the Windows Server 2003 Resource Kit as it provides a lot of guidance into how to control an environment using profile settings and GPO's.

 Michael Pope