win2k3 profiles

I have inherited a Windows 2003 Server network with XP Pro workstations and
am confused about the user profiles.
Some workstations don't even log on to the domain and do not appear in the
active directory (never joined the domain?).
Others do log on to the domain but seem to have local profiles.
Ideally I would like to have all workstations to logon to the domain, have
user profiles on the server, and have my documents redirected to a personal
folder on the server. And ultimately have the profiles roam.
How do I implement profiles on the Server, join a workstation to the server,
move a users local profile to the server, and force redirection of their my
documents folder to a location on the server?
Thank you!

Just curious... if you don't know how to do these things, it infers that you
have never done them before. If you have never done them before, how do you
know you need to do them? is there any problem with the way the network is
running now? IOW, what "problem" do you want to solve? There is no need to
change stuff just "because you can".

-Frank

"somebody" <(E-Mail Removed)> wrote in message
news:luYyh.2442$177.2398@trndny08...
>I have inherited a Windows 2003 Server network with XP Pro workstations and
>am confused about the user profiles.
> Some workstations don't even log on to the domain and do not appear in the
> active directory (never joined the domain?).
> Others do log on to the domain but seem to have local profiles.
> Ideally I would like to have all workstations to logon to the domain, have
> user profiles on the server, and have my documents redirected to a
> personal folder on the server. And ultimately have the profiles roam.
> How do I implement profiles on the Server, join a workstation to the
> server, move a users local profile to the server, and force redirection of
> their my documents folder to a location on the server?
> Thank you!
>
>

Frank, I have been reading this and other groups and understand that these
things can be done and I see great benefits in doing them. The benefits
include having all data on the server for centralized backup, having
workstation members of the domain for Windows and Antivirus updates, being
able to set policies that permit/restrict specific user activity, etc. I
see our office as vulnerable because of each of these points. People
install software at will, data is saved on workstations, anti virus is not
centralized, etc. I hope that answers your question and that someone could
please answer mine. I do want to add to my list of questions; how to do
desktop redirection (which I understand helps keep the user profile small).
Thank you.

"Frankster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> Just curious... if you don't know how to do these things, it infers that
> you have never done them before. If you have never done them before, how
> do you know you need to do them? is there any problem with the way the
> network is running now? IOW, what "problem" do you want to solve? There
> is no need to change stuff just "because you can".
>
> -Frank
>
> "somebody" <(E-Mail Removed)> wrote in message
> news:luYyh.2442$177.2398@trndny08...
>>I have inherited a Windows 2003 Server network with XP Pro workstations
>>and am confused about the user profiles.
>> Some workstations don't even log on to the domain and do not appear in
>> the active directory (never joined the domain?).
>> Others do log on to the domain but seem to have local profiles.
>> Ideally I would like to have all workstations to logon to the domain,
>> have user profiles on the server, and have my documents redirected to a
>> personal folder on the server. And ultimately have the profiles roam.
>> How do I implement profiles on the Server, join a workstation to the
>> server, move a users local profile to the server, and force redirection
>> of their my documents folder to a location on the server?
>> Thank you!
>>
>>
>

Okay, here's my input... (everybody has an opinion, and this is mine! )

First though, you say you "inherited" this server. Can I assume you also
inherited the responsibility for the whole network? Or just the server? For
the sake of my answers I'm gonna assume you have control of the whole
network, clients and all.

Also, keep in mind that you should weigh the benefit of any change against
actual improved user experience and/or security. And... ease of admin, of
course. But I can tell you right now that many outfits could care less about
"ease of admin", so they will typically give that last priority. Bottom
line, anytime you change the way a user interacts with the system, they'll
expect to see an improvement that benefits them. Otherwise it's just another
unwanted change.

With that out of the way...

Q: Some workstations don't even log on to the domain and do not appear in
the active directory (never joined the domain?).
A: Yes, that's what I would say. Probably never joined the domain. Any
profiles on the server indicate that there was, at one time at least, a
roaming profile configured for this user. The server is probably configured
to allow "Everyone - Full" permissions. So, no need to be a domain member.
BTW, this is not ALL that unusual in workplaces that have "evolved" from one
or two stand-alone PCs to finally installing a server. Sometimes they even
hire someone to install the server, but the workstations are not joined to a
domain. Maybe the server isn't even installed as a Domain Controller. Just
depends. Additionally, if local accounts have been configured on the PCs,
I've seen workers just logon to their local account rather than the domain.
Most don't understand about the pulldown arrow to select the domain. Most
don't know the difference. Ideally, there will be no local accounts on the
machines.

Q: Others do log on to the domain but seem to have local profiles.
A: Domain membership does not automatically create Roaming profiles. That
has to be done manually by the admin. There are plusses and minuses to
roaming profiles. They are not always better. Personally, I only configure
roaming profiles unless 2 conditions are met. 1) Most (all?) of the
workers have the potential to log on to other machines often, and, 2) every
machine in the place is IDENTICAL (programs, hard drives, operating systems,
etc. - IDENTICAL). If either one of these criteria are absent, roaming
profiles may not be the best way.

Q: I would like to have all workstations to logon to the domain, have user
profiles on the server, and have my documents redirected to a personal
folder on the server.
A: I think you know already, but roaming profiles are not necessary for
server-stored user data directories. You can have a drive automatically
mapped to the server where the user stores all their data. In fact you
SHOULD! For reasons you mentioned. But that is different from the profile.
One thing to note is that I do understand that many users store all their
documents in the "My Documents" folder under their --- yes... PROFILE on the
local machine. That is NOT a good idea, ever. The users should be educated
about the perils of storing their data on the local machine (no backup as
well as much higher potential for corruption being "within" the user
profile. All data should be stored on the server.

Q: How do I implement profiles on the Server
A: To to the domain user account on the server and configure a path for a
home directory that resides on the server and enable a roaming profile for
that user. This is done (or not done) on a per user basis. Obviously there
are more details, but you get the idea.

Q: [How do I...] join a workstation to the server
A: FYI... XP Home cannot join a Windows Domain. XP Pro can. There is more
than one way. You can do it on the server or from the WS. I prefer from the
WS. Go to the WS, logon as Administrator, go to the properties of "My
Computer", choose Computer Name | Change, change from Workgroup to Domain.
You will be asked for an account on the server with appropriate permissions
to join a domain - that would be
<DomainAdministrator>|<DomainAdministratorPassword >. Then just follow
instructions.

Q: [How do I...] move a users local profile to the server, and force
redirection of their my documents folder to a location on the server?
A: Profile info above. As for redirection of the "My Documents" folder, yes,
you can do that. MS has a TechNet article on it I believe. I've never done
it because I don't believe in it. Instead I believe in educating users to
save all their information on their own special mapped server
drive/directory, not in "My Documents". Just my opinion.

Good luck. Any more questions, let 'er rip.

-Frank

"somebody" <(E-Mail Removed)> wrote in message
news:XP%yh.2$H77.1@trndny08...
> Frank, I have been reading this and other groups and understand that these
> things can be done and I see great benefits in doing them. The benefits
> include having all data on the server for centralized backup, having
> workstation members of the domain for Windows and Antivirus updates, being
> able to set policies that permit/restrict specific user activity, etc. I
> see our office as vulnerable because of each of these points. People
> install software at will, data is saved on workstations, anti virus is not
> centralized, etc. I hope that answers your question and that someone
> could please answer mine. I do want to add to my list of questions; how
> to do desktop redirection (which I understand helps keep the user profile
> small). Thank you.
>
> "Frankster" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ...
>> Just curious... if you don't know how to do these things, it infers that
>> you have never done them before. If you have never done them before, how
>> do you know you need to do them? is there any problem with the way the
>> network is running now? IOW, what "problem" do you want to solve? There
>> is no need to change stuff just "because you can".
>>
>> -Frank
>>
>> "somebody" <(E-Mail Removed)> wrote in message
>> news:luYyh.2442$177.2398@trndny08...
>>>I have inherited a Windows 2003 Server network with XP Pro workstations
>>>and am confused about the user profiles.
>>> Some workstations don't even log on to the domain and do not appear in
>>> the active directory (never joined the domain?).
>>> Others do log on to the domain but seem to have local profiles.
>>> Ideally I would like to have all workstations to logon to the domain,
>>> have user profiles on the server, and have my documents redirected to a
>>> personal folder on the server. And ultimately have the profiles roam.
>>> How do I implement profiles on the Server, join a workstation to the
>>> server, move a users local profile to the server, and force redirection
>>> of their my documents folder to a location on the server?
>>> Thank you!
>>>
>>>
>>
>
>

Frankster,
Thank you! That is very helpful.
You are correct, I am now responsible for this entire ball of wax.
Your observations about criteria that makes roaming profiles plausible is
helpful. I had not even thought about the applications installed on the
workstations and they are indeed different... so roaming profiles will
probably not make sense or be very userful. You helped me clairfy what I
should do to tidy things up without going overboard. Here is my revised
plan. If you don't mind reading it I would welcome your thoughts on it:
1) set a password on the local administrator account
2) join the necessary workstations to the domain with
system-properties/computername/domain
3) log on locally as administrator and add the domain user as a user with
standard local rights (not power user or administrator)
4) log on as the user/domain to create the folder/file structure for the
user profile
5) copy the profile from the old user account to the user.domain manually (I
am not sure about this, but suppose that I could just copy the contents of
desktop folder, my docs folder, favorites folder and then log on as the user
and import the outlook settings - or is there a better way?)
6) delete the old user/local profiles
7) implement my documents redirection if I want to
This isn't as sexy as the roaming profiles etc but it does seem quite
practical and straight forward, organized, and meets most of my goals (data
stored on the server for backup, workstations part of domain for anti virus
and windows update rollouts. I know that once all the workstations are
joined to the server then the Antivirus software deployment is a snap. I
really look forward to that.
Also, I think your comment about users not appreciating change without a
benefit is very insightful. I have to keep that in mind.
Thanks again for all of your help.


"Frankster" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ...
> Okay, here's my input... (everybody has an opinion, and this is mine!
> ) )
>
> First though, you say you "inherited" this server. Can I assume you also
> inherited the responsibility for the whole network? Or just the server?
> For the sake of my answers I'm gonna assume you have control of the whole
> network, clients and all.
>
> Also, keep in mind that you should weigh the benefit of any change against
> actual improved user experience and/or security. And... ease of admin, of
> course. But I can tell you right now that many outfits could care less
> about "ease of admin", so they will typically give that last priority.
> Bottom line, anytime you change the way a user interacts with the system,
> they'll expect to see an improvement that benefits them. Otherwise it's
> just another unwanted change.
>
> With that out of the way...
>
> Q: Some workstations don't even log on to the domain and do not appear in
> the active directory (never joined the domain?).
> A: Yes, that's what I would say. Probably never joined the domain. Any
> profiles on the server indicate that there was, at one time at least, a
> roaming profile configured for this user. The server is probably
> configured to allow "Everyone - Full" permissions. So, no need to be a
> domain member. BTW, this is not ALL that unusual in workplaces that have
> "evolved" from one or two stand-alone PCs to finally installing a server.
> Sometimes they even hire someone to install the server, but the
> workstations are not joined to a domain. Maybe the server isn't even
> installed as a Domain Controller. Just depends. Additionally, if local
> accounts have been configured on the PCs, I've seen workers just logon to
> their local account rather than the domain. Most don't understand about
> the pulldown arrow to select the domain. Most don't know the difference.
> Ideally, there will be no local accounts on the machines.
>
> Q: Others do log on to the domain but seem to have local profiles.
> A: Domain membership does not automatically create Roaming profiles. That
> has to be done manually by the admin. There are plusses and minuses to
> roaming profiles. They are not always better. Personally, I only configure
> roaming profiles unless 2 conditions are met. 1) Most (all?) of the
> workers have the potential to log on to other machines often, and, 2)
> every machine in the place is IDENTICAL (programs, hard drives, operating
> systems, etc. - IDENTICAL). If either one of these criteria are absent,
> roaming profiles may not be the best way.
>
> Q: I would like to have all workstations to logon to the domain, have user
> profiles on the server, and have my documents redirected to a personal
> folder on the server.
> A: I think you know already, but roaming profiles are not necessary for
> server-stored user data directories. You can have a drive automatically
> mapped to the server where the user stores all their data. In fact you
> SHOULD! For reasons you mentioned. But that is different from the profile.
> One thing to note is that I do understand that many users store all their
> documents in the "My Documents" folder under their --- yes... PROFILE on
> the local machine. That is NOT a good idea, ever. The users should be
> educated about the perils of storing their data on the local machine (no
> backup as well as much higher potential for corruption being "within" the
> user profile. All data should be stored on the server.
>
> Q: How do I implement profiles on the Server
> A: To to the domain user account on the server and configure a path for a
> home directory that resides on the server and enable a roaming profile for
> that user. This is done (or not done) on a per user basis. Obviously there
> are more details, but you get the idea.
>
> Q: [How do I...] join a workstation to the server
> A: FYI... XP Home cannot join a Windows Domain. XP Pro can. There is more
> than one way. You can do it on the server or from the WS. I prefer from
> the WS. Go to the WS, logon as Administrator, go to the properties of "My
> Computer", choose Computer Name | Change, change from Workgroup to Domain.
> You will be asked for an account on the server with appropriate
> permissions to join a domain - that would be
> <DomainAdministrator>|<DomainAdministratorPassword >. Then just follow
> instructions.
>
> Q: [How do I...] move a users local profile to the server, and force
> redirection of their my documents folder to a location on the server?
> A: Profile info above. As for redirection of the "My Documents" folder,
> yes, you can do that. MS has a TechNet article on it I believe. I've never
> done it because I don't believe in it. Instead I believe in educating
> users to save all their information on their own special mapped server
> drive/directory, not in "My Documents". Just my opinion.
>
> Good luck. Any more questions, let 'er rip.
>
> -Frank
>
> "somebody" <(E-Mail Removed)> wrote in message
> news:XP%yh.2$H77.1@trndny08...
>> Frank, I have been reading this and other groups and understand that
>> these things can be done and I see great benefits in doing them. The
>> benefits include having all data on the server for centralized backup,
>> having workstation members of the domain for Windows and Antivirus
>> updates, being able to set policies that permit/restrict specific user
>> activity, etc. I see our office as vulnerable because of each of these
>> points. People install software at will, data is saved on workstations,
>> anti virus is not centralized, etc. I hope that answers your question
>> and that someone could please answer mine. I do want to add to my list
>> of questions; how to do desktop redirection (which I understand helps
>> keep the user profile small). Thank you.
>>
>> "Frankster" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed) ...
>>> Just curious... if you don't know how to do these things, it infers that
>>> you have never done them before. If you have never done them before, how
>>> do you know you need to do them? is there any problem with the way the
>>> network is running now? IOW, what "problem" do you want to solve? There
>>> is no need to change stuff just "because you can".
>>>
>>> -Frank
>>>
>>> "somebody" <(E-Mail Removed)> wrote in message
>>> news:luYyh.2442$177.2398@trndny08...
>>>>I have inherited a Windows 2003 Server network with XP Pro workstations
>>>>and am confused about the user profiles.
>>>> Some workstations don't even log on to the domain and do not appear in
>>>> the active directory (never joined the domain?).
>>>> Others do log on to the domain but seem to have local profiles.
>>>> Ideally I would like to have all workstations to logon to the domain,
>>>> have user profiles on the server, and have my documents redirected to a
>>>> personal folder on the server. And ultimately have the profiles roam.
>>>> How do I implement profiles on the Server, join a workstation to the
>>>> server, move a users local profile to the server, and force redirection
>>>> of their my documents folder to a location on the server?
>>>> Thank you!
>>>>
>>>>
>>>
>>
>>
>