| Author | Messages | |
mt_100
Posts:0
 | | 04/21/2008 12:51 PM |
| I would like to start using the Home Folder setting in AD to map the
personal drives for all my users but can't seem to get it to work for
remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
| | | |
| bdesmond
Posts:977
| | 04/21/2008 1:06 PM |
| Name resolution?
If you specify \\server\share <file://server/share> can the shortname be
resolved over VPN?
--brian
On Mon, Apr 21, 2008 at 12:50 PM, Mike Tharp <Mike_Tharp@hermanmiller.com>
wrote:
>
> I would like to start using the Home Folder setting in AD to map the
> personal drives for all my users but can't seem to get it to work for remote
> users. When a user is on the network the drive maps just fine however when
> they come in through VPN it does not map.
>
> Does anyone know how to get it to work for remote users?
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| RichardKline
Posts:11
| | 04/21/2008 1:26 PM |
| Our company has the issue where the VPN service is not AD aware. The
users have a separate authentication process.
So the users must manually map all accesses. None of the automatic AD
or login script mappings come through.
Rich
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: Monday, April 21, 2008 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the
personal drives for all my users but can't seem to get it to work for
remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
| | | |
| davewade
Posts:116
| | 04/22/2008 10:40 AM |
| Mike,
Well your VPN connection needs to work as part of the logon process,
and not after logon has completed. If the user logs on with cached
credentials and then connects they won't get a home drive (or logon
script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map
the personal drives for all my users but can't seem to get it to work
for remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
| | | |
| washaya
Posts:11
| | 04/22/2008 10:56 AM |
|
Return Receipt
Your RE: [ActiveDir] AD Home Folder and Remote User
document
:
was
received
by:
at: 04/22/2008 02:55:28 PM GMT
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| TG
Posts:298
| | 04/22/2008 1:28 PM |
| Return Receipt
Your RE: [ActiveDir] AD Home Folder and Remote User
document:
was Tony.Gordon@hewitt.com
received
by:
at: 04/22/2008 12:26:25 PM
The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| robertsingers
Posts:571
| | 04/22/2008 5:57 PM |
| You can solve the home drive issue by the old administratively
configured offline folders\drives in the GPO somewhere that I can't
remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process,
and not after logon has completed. If the user logs on with cached
credentials and then connects they won't get a home drive (or logon
script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map
the personal drives for all my users but can't seem to get it to work
for remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions
in the Act.
If you receive this email in error please notify Stockport ICT, Business
Services via email.query@stockport.gov.uk and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| robertsingers
Posts:571
| | 04/23/2008 12:24 AM |
| Actually we do redirect My Documents to "H" and off the top of my head
make "H" synchronised offline for laptops.
The issue for me being a quasi sort of supper user is that I can run
iTunes which insists on using the My Music folder. And the redirection
puts this on my network H drive. If I change the User Shell folder and
the Shell folder to a local directory, the redirection just sets it
back.
So I end up cursing Apple for their blind adherence to Microsoftisms.
So I'm thinking my POC for testing GPOs on security groups will be to
tattoo those registry keys using the PolicyMaker(tm) Registry Extension
Client.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Wednesday, 23 April 2008 3:56 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User
Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection
instead.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively
configured offline folders\drives in the GPO somewhere that I can't
remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process,
and not after logon has completed. If the user logs on with cached
credentials and then connects they won't get a home drive (or logon
script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map
the personal drives for all my users but can't seem to get it to work
for remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions
in the Act.
If you receive this email in error please notify Stockport ICT, Business
Services via email.query@stockport.gov.uk and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a ?no-liability? basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| danholme
Posts:165
| | 04/23/2008 4:33 AM |
| Something is wrong with your configuration. I've worked with this
specific configuration (dealing with iTunes and keeping it local) and it
worked great.
Not sure what would be different, but, off the top of my head, use Group
Policy to redirect My Music rather than a straight reg hack. The order
in which changes are applied will probably make the difference. I have
an ADM file that is part of my User Data & Settings articles (Feb & Mar
issues of Windows IT Pro Magazines) or in Chapter 3 of the Windows
Administration Resource Kit. I'm guessing that's why it worked for me
and is not working for you.
The whole reason "microsoftisms" exist is to allow us to manage data the
right way. Unfortunately, Microsoft doesn't always make it easy for us
to identify "the right way" J And in this case, it's using GP ADM (or
GP Preferences) to redirect My Music.
Don't need to use PolicyMaker any more... Group Policy Preferences have
been RTM'd.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 6:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Actually we do redirect My Documents to "H" and off the top of my head
make "H" synchronised offline for laptops.
The issue for me being a quasi sort of supper user is that I can run
iTunes which insists on using the My Music folder. And the redirection
puts this on my network H drive. If I change the User Shell folder and
the Shell folder to a local directory, the redirection just sets it
back.
So I end up cursing Apple for their blind adherence to Microsoftisms.
So I'm thinking my POC for testing GPOs on security groups will be to
tattoo those registry keys using the PolicyMaker(tm) Registry Extension
Client.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Wednesday, 23 April 2008 3:56 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User
Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection
instead.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively
configured offline folders\drives in the GPO somewhere that I can't
remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process,
and not after logon has completed. If the user logs on with cached
credentials and then connects they won't get a home drive (or logon
script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map
the personal drives for all my users but can't seem to get it to work
for remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions
in the Act.
If you receive this email in error please notify Stockport ICT, Business
Services via email.query@stockport.gov.uk and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
| | | |
| robertsingers
Posts:571
| | 04/23/2008 5:16 PM |
| I have no problem with the Microsoftism. What annoys me is that there
is a registry entry for iTunes called "Win2KMyMusicFolder" which points
at the shell folder name. It would be much nicer if you could just
alter this to point to something else and have iTunes change it's
behaviour.
And yes I'm looking forward to being able to replace sever thousand
lines of kixtart scripting with preferences :-)
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Wednesday, 23 April 2008 8:32 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Something is wrong with your configuration. I've worked with this
specific configuration (dealing with iTunes and keeping it local) and it
worked great.
Not sure what would be different, but, off the top of my head, use Group
Policy to redirect My Music rather than a straight reg hack. The order
in which changes are applied will probably make the difference. I have
an ADM file that is part of my User Data & Settings articles (Feb & Mar
issues of Windows IT Pro Magazines) or in Chapter 3 of the Windows
Administration Resource Kit. I'm guessing that's why it worked for me
and is not working for you.
The whole reason "microsoftisms" exist is to allow us to manage data the
right way. Unfortunately, Microsoft doesn't always make it easy for us
to identify "the right way" J And in this case, it's using GP ADM (or
GP Preferences) to redirect My Music.
Don't need to use PolicyMaker any more... Group Policy Preferences have
been RTM'd.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 6:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Actually we do redirect My Documents to "H" and off the top of my head
make "H" synchronised offline for laptops.
The issue for me being a quasi sort of supper user is that I can run
iTunes which insists on using the My Music folder. And the redirection
puts this on my network H drive. If I change the User Shell folder and
the Shell folder to a local directory, the redirection just sets it
back.
So I end up cursing Apple for their blind adherence to Microsoftisms.
So I'm thinking my POC for testing GPOs on security groups will be to
tattoo those registry keys using the PolicyMaker(tm) Registry Extension
Client.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Wednesday, 23 April 2008 3:56 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User
Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection
instead.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively
configured offline folders\drives in the GPO somewhere that I can't
remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process,
and not after logon has completed. If the user logs on with cached
credentials and then connects they won't get a home drive (or logon
script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map
the personal drives for all my users but can't seem to get it to work
for remote users. When a user is on the network the drive maps just fine
however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions
in the Act.
If you receive this email in error please notify Stockport ICT, Business
Services via email.query@stockport.gov.uk and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files
may be confidential and subject to privilege. Any opinions expressed in
this message are not necessarily those of the Department of Building and
Housing. All technical opinions are offered on a 'no-liability' basis.
This message and any files transmitted with it are confidential and
solely for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure or copying
of this email is unauthorised. If you have received this email in
error, please notify us immediately by reply email and delete the
original and any attachment(s). Thank you.
________________________________
| | | |
| gabriel/tfi
Posts:425
| | 04/25/2008 8:18 PM |
| Dont your users scream when they use SMB over a low-latency VPN connection?
J
Ive not tried SMB 2.0 (Vista/2008) yet, but I never wanted my users to be
mapped to any shared folder over VPN. Its definitely unusuable and
dramatically slows down things! (e.g. ages to browse My Computer).
Regards Gabriele.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: lunedì 21 aprile 2008 18.51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the
personal drives for all my users but can't seem to get it to work for remote
users. When a user is on the network the drive maps just fine however when
they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
| | | |
| danholme
Posts:165
| | 04/25/2008 8:28 PM |
| FWIW, don't use that KB... use the Feb & March issues of Windows IT Pro magazine, or Chapter 3 of the Windows Administration Resource Kit. The permissions that are proposed in the KB are NOT correct-and not least privilege. The articles (which summarize) the chapter and the scripts in the RK will have you totally set up.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 25, 2008 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Folder Redirection GPO is nice, indeed.
With proper file server ACL settings you can achieve automatic Home Folder provision and avoid to configure home folder in the user's AD account properties; I took inspiration from this http://support.microsoft.com/kb/274443/en-us <http://support.microsoft.com/kb/274443/en-us> with some modifications.
Regards - Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: lunedì 21 aprile 2008 20.18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Use redirection policies instead. Home folders are very legacy, of course.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, April 21, 2008 7:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Our company has the issue where the VPN service is not AD aware. The users have a separate authentication process.
So the users must manually map all accesses. None of the automatic AD or login script mappings come through.
Rich
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: Monday, April 21, 2008 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
| | | |
| SteveRochford
Posts:10
| | 04/30/2008 4:27 AM |
| Do you know if the correct permissions are documented anywhere on the MS site?
I think this is a classic MS misunderstanding of the words "security enhanced" - the idea that you would allow users to create folders at random on a file share which are not in a single controlled location sounds like a recipe for disaster. I work in a college; we try to keep a tight control on where users can put things partly to avoid the risk of some kind of DoS attack but also because if we don't control it then they will lose things!
Steve
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: 26 April 2008 01:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
FWIW, don't use that KB... use the Feb & March issues of Windows IT Pro magazine, or Chapter 3 of the Windows Administration Resource Kit. The permissions that are proposed in the KB are NOT correct-and not least privilege. The articles (which summarize) the chapter and the scripts in the RK will have you totally set up.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 25, 2008 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Folder Redirection GPO is nice, indeed.
With proper file server ACL settings you can achieve automatic Home Folder provision and avoid to configure home folder in the user's AD account properties; I took inspiration from this http://support.microsoft.com/kb/274443/en-us <http://support.microsoft.com/kb/274443/en-us> with some modifications.
Regards - Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: lunedì 21 aprile 2008 20.18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Use redirection policies instead. Home folders are very legacy, of course.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, April 21, 2008 7:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Our company has the issue where the VPN service is not AD aware. The users have a separate authentication process.
So the users must manually map all accesses. None of the automatic AD or login script mappings come through.
Rich
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: Monday, April 21, 2008 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
| | | |
| mt_100
Posts:0
| | 04/30/2008 1:03 PM |
| | The solution I am going to use is to have the home drive set in their profile in AD and then when they come in via the VPN the script it runs will read the home drive attribute for the user and then map the drive. | | | |
| danholme
Posts:165
| | 05/03/2008 5:09 PM |
| Sorry for the delayed response: I was away at WINDOWS CONNECTIONS this week.
Years ago I had a talk with the product team and got nowhere. "Least privilege security" of the "Users" root folder was not something they cared about. So no, the permissions are not documented. I had to literally hack at ACLs and have Auditing enabled to find out what permissions were being used where, and when.
This is an example of the least priv ACL of the "Users" folder (above each individual users' folder):
System::Allow:Full Control
Apply To: This folder, subfolder, and files
Administrators::Allow:Full Control
Apply To: This folder and subfolders
Apply permissions within this container only
Segregate roles between system Administrator and data administrators.
You might even forego this permission altogether (in favor of the next permission) - depends on your InfoSec policies.
ACL_User Data and Settings_Admin::Allow::Full Control
Apply To: Subfolders and files
This provides a managed group that has full control of all UDS per InfoSec policies
ACL_User Data and Settings_Audit::Allow::Read & Execute
Apply To: This folder, subfolder, and files
This allows a managed group to have read access to all UDS per InfoSec policies
THE ABOVE, you'll note, has ZERO permissions for users... that is least privilege! It requires that you provision the users' folders before applying redirection / profile roaming / etc. i.e. the folders required must be put in place. Windows Administration Resource Kit has scripts that perform that provisioning. Then the (default) Traverse Folders *system privilege* allows users to go 'through' the Users folder to their specific folder (to which they will have permission) successfully. It's a beautiful world.
If you're going to use "Microsoft's way" in which when a user logs on their profile or redirected folder stores are created "on the fly" up on the server, then you have to open up permissions quite a bit, but still not as much as the KB proposes. This is what is necessary based on my testing & hacking (on top of the above permissions):
<User Group>::Allow::Read & Execute
Apply To: This folder only
<User Group> refers to a group that represents all users that will have folders in this "root" (can use Users or Auth Users or Everyone if it makes sense in your environment, but I prefer to manage it more specifically)
<User Group>::Allow::Create Folders/Append Data
Apply To: This folder and subfolders
Apply permissions within this container only
Creator Owner::Allow::Full Control (change to Owner Rights::Allow::Full Control if the server is WS2008)
Apply To: Subfolders and files only
As you can see, if you want to use MS's "client creates the folder for you" method, you MUST allow users to create folders at the top level, which sucks in my opinion, but that's because the client functionality uses the users' credentials to do that. So I prefer to use a scripted/automated/provisioned method to manage folder creation, and then have a very secure environment.
Also note that users must "own" and have full control of their (specific) folders unless you go through some crazy (and IMO not useful) gymnastics.
HTH
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Rochford
Sent: Wednesday, April 30, 2008 1:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Do you know if the correct permissions are documented anywhere on the MS site?
I think this is a classic MS misunderstanding of the words "security enhanced" - the idea that you would allow users to create folders at random on a file share which are not in a single controlled location sounds like a recipe for disaster. I work in a college; we try to keep a tight control on where users can put things partly to avoid the risk of some kind of DoS attack but also because if we don't control it then they will lose things!
Steve
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: 26 April 2008 01:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
FWIW, don't use that KB... use the Feb & March issues of Windows IT Pro magazine, or Chapter 3 of the Windows Administration Resource Kit. The permissions that are proposed in the KB are NOT correct-and not least privilege. The articles (which summarize) the chapter and the scripts in the RK will have you totally set up.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Friday, April 25, 2008 2:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Folder Redirection GPO is nice, indeed.
With proper file server ACL settings you can achieve automatic Home Folder provision and avoid to configure home folder in the user's AD account properties; I took inspiration from this http://support.microsoft.com/kb/274443/en-us <http://support.microsoft.com/kb/274443/en-us> with some modifications.
Regards - Gabriele
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: lunedì 21 aprile 2008 20.18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Use redirection policies instead. Home folders are very legacy, of course.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, April 21, 2008 7:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Our company has the issue where the VPN service is not AD aware. The users have a separate authentication process.
So the users must manually map all accesses. None of the automatic AD or login script mappings come through.
Rich
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: Monday, April 21, 2008 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
| | | |
| gabriel/tfi
Posts:425
| | 05/05/2008 9:18 PM |
| Off-line files is _ideally_ a nice feature as it allows mobile users to
bring their personal docs with them (the files stored in their home folder
My Docs), unfortunately I have never been able to make it work properly.
I found so many useful resources at the following blog
http://blogs.msdn.com/jonathanh/archive/tags/Offline+Files/default.aspx and
was able to fix most of the problems.
But theres still a major issue that really annoys me.
The Off-line files feature when used with Redirected My Docs (it gets
enabled by default in XP) should be able to determine if the link between
the client and the file server is slow or not (slow link detection of
off-line files, a speed threshold configurable via GPO):
a) if the link is fast, the Off-line files mechanism should place the
client on-line and so My Documents redirected and files accessed onto the
file server (e.g. LAN)
b) if the link is slow (as set in the GPO) the Off-line files
mechanism should place the client off-line and files accessed in the local
Client Side Cache (CSC)
Unfortunately when mobile users establish a VPN connection (via POTS, GPRS,
UMTS, whatever-slow-link) and so are able to reach the file server, the
off-line files mechanism ignores the speed detection threshold and always
puts the client on-line
sigh
of course this unexpected behavior
generates major problems:
1) users read/write My Docs files NOT in the local CSC, but in the
remote SMB share (SMB over a slow link
uh
bad performance, the system goes
like a snail)
2) because of 1) a lot of network traffic (SMB) is generated against
the file server and this might have a very bad impact on costs if, for
example, 3G networks are utilized roaming some countries.
The only workaround I found is to force a disconnection with CSCCMD
/disconnect (http://support.microsoft.com/kb/884739), not very _friendly_
for the users, even if a script is made available to them (theyre too lazy
to double click on the script icon if the system becomes weirdly slow but
they are right, the system should behave automatically).
Is any of you ever been able to make the off-line files work properly?
Thanks Gabriele.
PS=Ive heard Off-line files have been completely re-written in WinVista. I
believe I know the reason
.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: mercoledì 23 aprile 2008 5.56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User
Configuration\Administrative Templates\Network\Offline Files.
Note if youre going to this extreme, really think about redirection
instead.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively configured
offline folders\drives in the GPO somewhere that I can't remember off the
top of my head.
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process, and
not after logon has completed. If the user logs on with cached credentials
and then connects they won't get a home drive (or logon script).
Dave Wade
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the
personal drives for all my users but can't seem to get it to work for remote
users. When a user is on the network the drive maps just fine however when
they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose
this email, or any response to it, under the Freedom of Information Act
2000, unless the information in it is covered by one of the exemptions in
the Act.
If you receive this email in error please notify Stockport ICT, Business
Services via email.query@stockport.gov.uk and then permanently remove it
from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
_____
This e-mail message has been scanned for Viruses and cleared by NetIQ
MailMarshal
_____
_____
Please Note:
The information contained in this email message and any attached files may
be confidential and subject to privilege. Any opinions expressed in this
message are not necessarily those of the Department of Building and Housing.
All technical opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely for the use of
the intended recipient. If you are not the intended recipient, you are
notified that any use, disclosure or copying of this email is unauthorised.
If you have received this email in error, please notify us immediately by
reply email and delete the original and any attachment(s). Thank you.
_____
| | | |
| robertsingers
Posts:571
| | 05/05/2008 9:33 PM |
| Well I'm currently VPNed in via a SonicWall 4060 and I'm running 'offline" for my h: (home) and j: (Dept file plan). I work this way every Tuesday. I have had issues with my offline cache corrupting but mostly it works perfectly.
I will say however I'm currently the only person in my Org who uses VPN. So I'm not sure if my experience is typical.
I should have a adminsitratively assigned W: drive offline that has all the Dept's office templates and that isn't showing. One day I'll have a look at why :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, 6 May 2008 1:13 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
"Off-line files" is _ideally_ a nice feature as it allows mobile users to bring their personal docs with them (the files stored in their home folder - My Docs), unfortunately I have never been able to make it work properly.
I found so many useful resources at the following blog http://blogs.msdn.com/jonathanh/archive/tags/Offline+Files/default.aspx and was able to fix most of the problems.
But there's still a major issue that really annoys me.
The "Off-line files" feature when used with Redirected My Docs (it gets enabled by default in XP) should be able to determine if the link between the client and the file server is slow or not (slow link detection of off-line files, a speed threshold configurable via GPO):
a) if the link is "fast", the Off-line files mechanism should place the client "on-line" and so My Documents redirected and files accessed onto the file server (e.g. LAN)
b) if the link is "slow" (as set in the GPO) the "Off-line files" mechanism should place the client "off-line" and files accessed in the local Client Side Cache (CSC)
Unfortunately when mobile users establish a VPN connection (via POTS, GPRS, UMTS, whatever-slow-link) and so are able to reach the file server, the "off-line files" mechanism ignores the speed detection threshold and always puts the client "on-line"... sigh... of course this unexpected behavior generates major problems:
1) users read/write My Docs files NOT in the local CSC, but in the remote SMB share (SMB over a slow link... uh... bad performance, the system goes like a snail)
2) because of 1) a lot of network traffic (SMB) is generated against the file server and this might have a very bad impact on costs if, for example, 3G networks are utilized roaming some countries.
The only workaround I found is to force a disconnection with "CSCCMD /disconnect" (http://support.microsoft.com/kb/884739), not very _friendly_ for the users, even if a script is made available to them (they're too lazy to double click on the script icon if the system becomes weirdly slow - but they are right, the system should behave automatically).
Is any of you ever been able to make the off-line files work properly?
Thanks - Gabriele.
PS=I've heard Off-line files have been completely re-written in WinVista. I believe I know the reason....
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: mercoledì 23 aprile 2008 5.56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection instead.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively configured offline folders\drives in the GPO somewhere that I can't remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process, and not after logon has completed. If the user logs on with cached credentials and then connects they won't get a home drive (or logon script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| danholme
Posts:165
| | 05/06/2008 12:00 AM |
| The offline files behavior you describe is "normal" (sadly) for XP, and the fix (CSCCMD /disconnect) is the right fix.
I have several clients who use the /disconnect command in interesting ways, including INCORPORATING it in their VPN logon process (through the Cisco client, e.g.).
The bad news is there are a few things you can do to make XP's offline files better (see the WINDOWS ADMINISTRATION RESOURCE KIT, Solutions Collection 3 for details).
The good news is VISTA's caching is overhauled and much, much, much, better. If you can get your users on to vista clients, the vast majority of problems, and all 'show stoppers' will be a moot point, as far as offline files and user data.
HTH.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Monday, May 05, 2008 3:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Well I'm currently VPNed in via a SonicWall 4060 and I'm running 'offline" for my h: (home) and j: (Dept file plan). I work this way every Tuesday. I have had issues with my offline cache corrupting but mostly it works perfectly.
I will say however I'm currently the only person in my Org who uses VPN. So I'm not sure if my experience is typical.
I should have a adminsitratively assigned W: drive offline that has all the Dept's office templates and that isn't showing. One day I'll have a look at why :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, 6 May 2008 1:13 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
"Off-line files" is _ideally_ a nice feature as it allows mobile users to bring their personal docs with them (the files stored in their home folder - My Docs), unfortunately I have never been able to make it work properly.
I found so many useful resources at the following blog http://blogs.msdn.com/jonathanh/archive/tags/Offline+Files/default.aspx and was able to fix most of the problems.
But there's still a major issue that really annoys me.
The "Off-line files" feature when used with Redirected My Docs (it gets enabled by default in XP) should be able to determine if the link between the client and the file server is slow or not (slow link detection of off-line files, a speed threshold configurable via GPO):
a) if the link is "fast", the Off-line files mechanism should place the client "on-line" and so My Documents redirected and files accessed onto the file server (e.g. LAN)
b) if the link is "slow" (as set in the GPO) the "Off-line files" mechanism should place the client "off-line" and files accessed in the local Client Side Cache (CSC)
Unfortunately when mobile users establish a VPN connection (via POTS, GPRS, UMTS, whatever-slow-link) and so are able to reach the file server, the "off-line files" mechanism ignores the speed detection threshold and always puts the client "on-line"... sigh... of course this unexpected behavior generates major problems:
1) users read/write My Docs files NOT in the local CSC, but in the remote SMB share (SMB over a slow link... uh... bad performance, the system goes like a snail)
2) because of 1) a lot of network traffic (SMB) is generated against the file server and this might have a very bad impact on costs if, for example, 3G networks are utilized roaming some countries.
The only workaround I found is to force a disconnection with "CSCCMD /disconnect" (http://support.microsoft.com/kb/884739), not very _friendly_ for the users, even if a script is made available to them (they're too lazy to double click on the script icon if the system becomes weirdly slow - but they are right, the system should behave automatically).
Is any of you ever been able to make the off-line files work properly?
Thanks - Gabriele.
PS=I've heard Off-line files have been completely re-written in WinVista. I believe I know the reason....
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: mercoledì 23 aprile 2008 5.56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection instead.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively configured offline folders\drives in the GPO somewhere that I can't remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process, and not after logon has completed. If the user logs on with cached credentials and then connects they won't get a home drive (or logon script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| robertsingers
Posts:571
| | 05/06/2008 12:20 AM |
| I'm not sure the NZ Govt is interested in moving to Vista because of the DRM model used. It's something I must follow up as part of my target state planning. I think like a lot of organisations we'll be aiming to go from Windows XP to Windows 7. I may even have caught up on all the new deployment stuff by then :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Tuesday, 6 May 2008 3:55 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The offline files behavior you describe is "normal" (sadly) for XP, and the fix (CSCCMD /disconnect) is the right fix.
I have several clients who use the /disconnect command in interesting ways, including INCORPORATING it in their VPN logon process (through the Cisco client, e.g.).
The bad news is there are a few things you can do to make XP's offline files better (see the WINDOWS ADMINISTRATION RESOURCE KIT, Solutions Collection 3 for details).
The good news is VISTA's caching is overhauled and much, much, much, better. If you can get your users on to vista clients, the vast majority of problems, and all 'show stoppers' will be a moot point, as far as offline files and user data.
HTH.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Monday, May 05, 2008 3:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Well I'm currently VPNed in via a SonicWall 4060 and I'm running 'offline" for my h: (home) and j: (Dept file plan). I work this way every Tuesday. I have had issues with my offline cache corrupting but mostly it works perfectly.
I will say however I'm currently the only person in my Org who uses VPN. So I'm not sure if my experience is typical.
I should have a adminsitratively assigned W: drive offline that has all the Dept's office templates and that isn't showing. One day I'll have a look at why :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, 6 May 2008 1:13 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
"Off-line files" is _ideally_ a nice feature as it allows mobile users to bring their personal docs with them (the files stored in their home folder - My Docs), unfortunately I have never been able to make it work properly.
I found so many useful resources at the following blog http://blogs.msdn.com/jonathanh/archive/tags/Offline+Files/default.aspx and was able to fix most of the problems.
But there's still a major issue that really annoys me.
The "Off-line files" feature when used with Redirected My Docs (it gets enabled by default in XP) should be able to determine if the link between the client and the file server is slow or not (slow link detection of off-line files, a speed threshold configurable via GPO):
a) if the link is "fast", the Off-line files mechanism should place the client "on-line" and so My Documents redirected and files accessed onto the file server (e.g. LAN)
b) if the link is "slow" (as set in the GPO) the "Off-line files" mechanism should place the client "off-line" and files accessed in the local Client Side Cache (CSC)
Unfortunately when mobile users establish a VPN connection (via POTS, GPRS, UMTS, whatever-slow-link) and so are able to reach the file server, the "off-line files" mechanism ignores the speed detection threshold and always puts the client "on-line"... sigh... of course this unexpected behavior generates major problems:
1) users read/write My Docs files NOT in the local CSC, but in the remote SMB share (SMB over a slow link... uh... bad performance, the system goes like a snail)
2) because of 1) a lot of network traffic (SMB) is generated against the file server and this might have a very bad impact on costs if, for example, 3G networks are utilized roaming some countries.
The only workaround I found is to force a disconnection with "CSCCMD /disconnect" (http://support.microsoft.com/kb/884739), not very _friendly_ for the users, even if a script is made available to them (they're too lazy to double click on the script icon if the system becomes weirdly slow - but they are right, the system should behave automatically).
Is any of you ever been able to make the off-line files work properly?
Thanks - Gabriele.
PS=I've heard Off-line files have been completely re-written in WinVista. I believe I know the reason....
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: mercoledì 23 aprile 2008 5.56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection instead.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively configured offline folders\drives in the GPO somewhere that I can't remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process, and not after logon has completed. If the user logs on with cached credentials and then connects they won't get a home drive (or logon script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
| ken
Posts:171
| | 05/06/2008 12:25 AM |
| I realise that this is heading off-topic, but what DRM model are you talking about that would potentially affect a government organisation?
Cheers
Ken
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, 6 May 2008 2:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
I'm not sure the NZ Govt is interested in moving to Vista because of the DRM model used. It's something I must follow up as part of my target state planning. I think like a lot of organisations we'll be aiming to go from Windows XP to Windows 7. I may even have caught up on all the new deployment stuff by then :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Tuesday, 6 May 2008 3:55 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The offline files behavior you describe is "normal" (sadly) for XP, and the fix (CSCCMD /disconnect) is the right fix.
I have several clients who use the /disconnect command in interesting ways, including INCORPORATING it in their VPN logon process (through the Cisco client, e.g.).
The bad news is there are a few things you can do to make XP's offline files better (see the WINDOWS ADMINISTRATION RESOURCE KIT, Solutions Collection 3 for details).
The good news is VISTA's caching is overhauled and much, much, much, better. If you can get your users on to vista clients, the vast majority of problems, and all 'show stoppers' will be a moot point, as far as offline files and user data.
HTH.
Dan
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Monday, May 05, 2008 3:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Well I'm currently VPNed in via a SonicWall 4060 and I'm running 'offline" for my h: (home) and j: (Dept file plan). I work this way every Tuesday. I have had issues with my offline cache corrupting but mostly it works perfectly.
I will say however I'm currently the only person in my Org who uses VPN. So I'm not sure if my experience is typical.
I should have a adminsitratively assigned W: drive offline that has all the Dept's office templates and that isn't showing. One day I'll have a look at why :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Gabriele Scolaro
Sent: Tuesday, 6 May 2008 1:13 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
"Off-line files" is _ideally_ a nice feature as it allows mobile users to bring their personal docs with them (the files stored in their home folder - My Docs), unfortunately I have never been able to make it work properly.
I found so many useful resources at the following blog http://blogs.msdn.com/jonathanh/archive/tags/Offline+Files/default.aspx and was able to fix most of the problems.
But there's still a major issue that really annoys me.
The "Off-line files" feature when used with Redirected My Docs (it gets enabled by default in XP) should be able to determine if the link between the client and the file server is slow or not (slow link detection of off-line files, a speed threshold configurable via GPO):
a) if the link is "fast", the Off-line files mechanism should place the client "on-line" and so My Documents redirected and files accessed onto the file server (e.g. LAN)
b) if the link is "slow" (as set in the GPO) the "Off-line files" mechanism should place the client "off-line" and files accessed in the local Client Side Cache (CSC)
Unfortunately when mobile users establish a VPN connection (via POTS, GPRS, UMTS, whatever-slow-link) and so are able to reach the file server, the "off-line files" mechanism ignores the speed detection threshold and always puts the client "on-line"... sigh... of course this unexpected behavior generates major problems:
1) users read/write My Docs files NOT in the local CSC, but in the remote SMB share (SMB over a slow link... uh... bad performance, the system goes like a snail)
2) because of 1) a lot of network traffic (SMB) is generated against the file server and this might have a very bad impact on costs if, for example, 3G networks are utilized roaming some countries.
The only workaround I found is to force a disconnection with "CSCCMD /disconnect" (http://support.microsoft.com/kb/884739), not very _friendly_ for the users, even if a script is made available to them (they're too lazy to double click on the script icon if the system becomes weirdly slow - but they are right, the system should behave automatically).
Is any of you ever been able to make the off-line files work properly?
Thanks - Gabriele.
PS=I've heard Off-line files have been completely re-written in WinVista. I believe I know the reason....
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: mercoledì 23 aprile 2008 5.56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
The setting is Administratively assigned offline files. User Configuration\Administrative Templates\Network\Offline Files.
Note if you're going to this extreme, really think about redirection instead.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Robert Singers
Sent: Tuesday, April 22, 2008 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
You can solve the home drive issue by the old administratively configured offline folders\drives in the GPO somewhere that I can't remember off the top of my head.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Wednesday, 23 April 2008 2:37 a.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Home Folder and Remote User
Mike,
Well your VPN connection needs to work as part of the logon process, and not after logon has completed. If the user logs on with cached credentials and then connects they won't get a home drive (or logon script).
Dave Wade
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Mike Tharp
Sent: 21 April 2008 17:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Home Folder and Remote User
I would like to start using the Home Folder setting in AD to map the personal drives for all my users but can't seem to get it to work for remote users. When a user is on the network the drive maps just fine however when they come in through VPN it does not map.
Does anyone know how to get it to work for remote users?
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
| | | |
|
|