WARNING - READ ONLY AFTER CAFFIENE INTAKE! - - - - - - - - - - - - - - - - - - - - - - Ok - now that the subject line may have put you off, check this out:
We are running a single Win2K server (sp3) with 25 WinXP (sp1) clients attached as a small domain. 15 of the machines are for student use (I work at a school), subsequently we want to: (a) use group policy to lock down the workstations en masse (b) use mandatory profiles per year group for easier maintenance I have these 15 machines and all the users in an OU tree like this: Domain - Library OU - Students Domain - Library OU - machines The group policy I have created is applied at the Library OU level. There are no other group policies applied (no changes made to the default domain policy, so no effect there). I created a test user (exactly the same as one of the students) to create the profile, it copied back to the server, and I renamed "ntuser.dat" to "ntuser.man". BINGO - mandatory profile. HOWEVER - when I log on as the test user, I get the full effect of the group policy (specific coloured background, no run in the start menu, etc) AND the profile applied as a mandatory one as it all should. Works great. When I log on as any other user (identical permissions, groups, etc), with this mandatory profile specified as the profile for this user, I get a mish-mash of the profile and the policy applied. E.G. I get the coloured background I specified, and the desktop shortcuts I created, but I also get run accessible in the start menu and can change the desktop colour/background, etc. If I make it so this user has a mandatory profile that was created by that account, or has its own roaming profile (with the group policy applied) - everything works as it should - policy is in effect in full force. It ONLY happens when I give this user the mandatory profile I created with the test user. It's got me baffled, and I can't let students use the machines until I am sure I have locked them down. They way it is working now, they are FAR from locked down! The only thing I can think of that I haven't tried is to change the ownership of the profile contents once I have made it a mandatory one on the server to the Local Security group all the users are in. I wouldn't have thought it would make a difference... but I guess I'll find out tomorrow! All help and resolutions gratefully accepted. You all are such a wealth of knowledge on this list - Thanks in advance. mailto:[EMAIL PROTECTED] +-----------------------+ | Steve Molkentin, MCP | | IT Trainer/HelpDesk | | D/Dial - 07 3372 0819 | | Mobile - 0410 680 018 | +-----------------------+-----------------+ | Forest Lake College | | http://www.forestlakecollege.com.au | | The Springfield College | | http://www.thespringfieldcollege.com.au | +-----------------------------------------+ ------ You are subscribed as [EMAIL PROTECTED] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
