And although we don’t have thousands at once, I have a lot of mandatory roaming profiles in use by multiple stations, sometimes 50+ at once in elementary school labs (usually for K-2). We generally do this for any extremely “generic” requirement and lock it to specific workstation logons. Most of these have policies plus SRP or applocker to control what they are allowed to run.
I will note that we had an older state testing app about three years ago that required writing log data to the profile, so we were not able to use mandatory profiles in that scenario (tried and they would lose information they needed). Bad design, but it wasn’t going to be fixed that year so we couldn’t use them. When fixed, they moved it to the home directory, which also meant kids couldn’t share a logon and it wreaked havoc with our quota settings. Completely different program now—I’m sure it has its own issues. But the bigger issue is if you don’t have any roaming profiles now, you don’t know what kind of load that will be on a central server for them to get the .man profile loaded the first time (and at each logon). I like James’s idea to copy it locally as well, but guaranteeing that 1000+ machines all get the correct settings in time is tough. -Bonnie From: [email protected] [mailto:[email protected]] On Behalf Of James Rankin Sent: Thursday, January 22, 2015 6:08 AM To: [email protected] Subject: Re: [NTSysADM] RE: OT Java issue. "Roaming profile is tempting Bonnie, but there will be 1000+ using that profile at the same time. That scares me." I regularly set up single roaming mandatory profiles for use by tens of thousands of users. Don't see any issues. You could create a single mandatory profile, and then copy it to the C: drive of every machine via a GPP File, if the chances of locking it bothered you. Here's a good guide (IMO!) to creating mandatory profiles just in case you take the plunge - http://appsensebigot.blogspot.co.uk/2014/10/create-windows-mandatory-profiles-in.html On 22 January 2015 at 14:01, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: Going to reply here, and consolidate responses from everyone. Much appreciated. “Automatically activate newly installed…..” Already enabled, does not help. Protected modes does solve the Trusted sites issue, but then just creates another warning about Protected sites being disabled. Allow Activex filtering- disable – no help. Allow previously unused ActiveX to run w/o prompt –enabled….already on, no help. Modifying zone settings is great idea!! Umm, wait…what settings should I modify? ☺ Roaming profile is tempting Bonnie, but there will be 1000+ using that profile at the same time. That scares me. Trusted sites does fix this prompt but it brakes their crap setup where they auth the user at one domain then pass the auth token to another domain. IE hates that and for good reason. So, I have multiple days in this, and the bottom line, they are going to have to hit the allow button. Good news is they will only have to do it once per machine since they are all using the same computers and accounts. Thanks for the try gang, going to give up on this one. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Aakash Shah Sent: Wednesday, January 21, 2015 8:38 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: OT Java issue. Also, if the message in IE that you are getting about add-ons is prompting the user to allow/enable it, you can get prevent this message by configuring “Automatically activate newly installed add-ons” under Administrative Templates | Windows Components | Internet Explorer (available under both Computer and User configuration). This will automatically run the add-on as long as it has been installed. If you get the notifications about speed/slowness, you can disable this by enabling “Turn off add-on performance notifications” in the same area above. -Aakash Shah From: Aakash Shah Sent: Wednesday, January 21, 2015 5:31 PM To: '[email protected]<mailto:[email protected]>' Subject: RE: OT Java issue. +1. This can also be done using native GPs too. Also, note that if you disable Protected Mode in IE, that should avoid the cookie problem you noticed when browsing between the Internet and Trusted Sites zone. More information at: http://blogs.msdn.com/b/ieinternals/archive/2011/03/10/internet-explorer-beware-cookie-sharing-in-cross-zone-scenarios.aspx -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Miller Bonnie L. Sent: Wednesday, January 21, 2015 2:03 PM To: '[email protected]<mailto:[email protected]>' Subject: [NTSysADM] RE: OT Java issue. I feel for you—we have testing coming soon too. Just my thoughts… Try modifying your Internet zone settings (can be done for the one user via GPP) to make them similar to trusted. I’m not sure exactly which advanced setting would cause this prompt, but maybe something in the scripting section or removing protected mode Other thought would be to set up a mandatory roaming profile on the user, with questions answered the way you want to allow everything to run. -Bonnie From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Wednesday, January 21, 2015 1:17 PM To: '[email protected]<mailto:[email protected]>' Subject: [NTSysADM] OT Java issue. Need a hand here gang, this is part of a giant nightmare called state mandated student testing that is a mess. And I am under the gun. I had this working, today it blew up. 5 days to the statewide test. Java 8 u31 IE 11. I need a user policy, or reg hack I can push to get IE to not ask these little kids “This webpage wants to run the following add-on” I have hit it with everything I can think of on the GPO side and the only thing that really works user side is putting the site in ‘trusted sites’. But that blows up other things because they pass authentication cookies between domains. This will be one user that they all will use, I don’t care if IE is safe for this user, the filter keeps them on one website only. -- James Rankin --------------------- RCL - Senior Technical Consultant (ACA, CCA, MCTS) | The Virtualization Practice Analyst - Desktop Virtualization http://appsensebigot.blogspot.co.uk
