These are settings for an Active Directory User GPO (Group Policy Object) including:
- Roaming profiles
- Folder redirection (see previous post about how to set this up)
- Remote Desktop access
- UAC off
- Mapped network drives
- Delete old downloads from a user's Downloads folder on login
Create a User Profile GPO:
Group Policy Management/Domains/[Domain name]; right click and select “Create a GPO in this domain and Link it here”. Call it “User Profiles” or something relevant.
In the GPO: Computer Configuration/Policies/Administrative Templates
- System: Verbose vs normal status messages enabled
- User Profile:
- Add the Administrators security group to roaming user profiles
- Set Roaming profile path: \\[FileServer]\Users$\%username%\profile
NB: THIS IS ACTUALLY WHERE ROAMING PROFILES ARE IMPLEMENTED or it can be done in the user object. I like to do it here so it can be over-written on a per-machine basis e.g. disabled on a server.
- Policies/Windows Settings/Folder Redirection
- Enable “Basic –redirect everyone’s folder to the same location” for all folders except AppData
- Set Target folder location as “Create a folder for each user under the root path
- Set Root Path as: \\[servername].[domain name]\Users$
- Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page. Set Site to Zone Assignment List to file://*.[domain name] to enable browsing within the domain.
User Settings GPO
I also like to setup a few settings to ensure better user experience.
The following are under Computer Configuration, Policies:
- Remote access on:
- Under Administrative Templates:
- Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: Allow inbound Remote Desktop Exception. Enter IP restriction e.g. specific IP (192.168.0.10) or "localsubnet"
- Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Allow log on through Remote Desktop Services
- Under Windows Settings, Security Settings, Local Policies, User Rights:
- Allow log on through Terminal Services: add a group e.g. Domain Users
- Allow log on locally: add a group e.g. Domain Users (You also have to add (local) administrators).
- UAC off: Windows Settings, Security Settings, Local Policies, Security Options, User Account Control
- Start up sound off: Administrative Templates/System/Logon.
- Policies/Administrative Templates
- Control Panel/Display/Desktop Themes: Windows Classic (enable but leave theme blank).
- Desktop/Desktop: Disable Active Desktop (disallows HTML and JPG wallpaper
- System/User Profile: Limit Profile Size: Max Profile Size set to 30GB (30,000,000). NB this doesn’t actually limit the size but rather just displays a message.
NB: I have since turned this off as I found the process ‘proquota.exe’ was hogging my system.
- System/Logon: Run these programs at user logon: I have added a bat file to delete downloads older than 7 days, to avoid them taking up too much space. I created it in \\[Server]\NETLOGON\DeleteDownloads.bat
- Windows Settings/Drive Maps: setup any maps you need.
- Control Panel Settings/Folder Options/General
Hide extensions for known file types: Disabled