Many people, one profile and lots of shared, password protec

[Blind]

In my new job (which increasingly strains my limited network administrator skills), I’ve inherited a school network that uses a convoluted system of roaming profiles that causes numerous problems with speed, security and compatibility with our crummy education software.

The only network resource that the students and teachers really need is a protected, shared folder to store their files that is accessible from every computer on the domain with a password. They currently have this with our server 2003, active directory system, but as I mentioned above, it’s currently not ideal.

I was wondering if there was a way to tweak 2003 or a 3rd party app that would allow a universal login for each computer, but request a password to access or save to a network folder on a mapped drive?

[plexer]

You create each user their own home directory on the server, share it and set this in their user properties. Using a log on script you map a drive say H: to this path i.e \\server\username$

The permissions on their home folder can be whatever you choose but normally something like administrators full control and username change or full control.

Ben

[Blind]

Yep, that is the way it is currently done.

I'm looking at doing something odd. I want the user to use a generic login (same for everyone), but then have to enter a unique password when they attempt to access a folder on the server.

[plexer]

But then how do you track what an individual user does on the system and internet etc... you have no trail to follow and everyone has deniability.

I think you are making it worse for yourself trying to go this route.

Ben

[Teth]

Seems like you need to start using Mandatory profiles.

Stay with your existing user folder system it is the industry best practice. Keep your user accounts too but change they're profile to a mandatory profile which you creat once and then save to a folder on the server to be loaded by every user as they log on.

As long as all your software is conficgured correctly when you save the profile all users will get that configuration and even if they manage to find a chink in your group policy and alter it on the local machine, when they next log on they will get a clean copy of the deault profile again.

[Blind]

I probably would be making it more difficult for myself, but I’m not as concerned with security (we have other software for that) as with functionality, speed, and ease of customization.

I’m guess I’m just trying to think of ideas to make allowing 450 people be able to access any of the ~200 in the building without the slowdown or configuration problems.

[eean]

I'm looking at doing something odd. I want the user to use a generic login (same for everyone), but then have to enter a unique password when they attempt to access a folder on the server.

I don't think that is possible. You can't be connected to a server under one username then connect to the same server using a different username. I would guess the only way to do that is to put all your shared areas on a different computer, with it's own username list that is not part of the domain. This is a really messy solution, however. I really think you'd be better to set up proper usernames with redirected folders to shared desktop and start menu.

IF there is a way of doing this, I'd like to know it: In my school (Primary) Each year group has it's own logon. It would be handy if staff could map to their home folder whilst logged as a child.

EDIT: As for speed, look at this thread: http://www.edugeek.net/index.php?nam...er=asc&start=0 - an update that knocks 20 secs of logon with redirected folders. So our logon is now ~15seconds.

[GrumbleDook]

You definitely need mandatory profiles. It will speed things up no end ... and by tweaking your login scripts you can improve things too.

[ChrisC]

A universal logon just does not work.....at all.

The profile itself would get so big it would probably bog things down anyway.

Mandatory is the way to go.

Chris

[ajbritton]

I suppose if you really had to do it, you could write a logon script which asked the user to log on again, and then connect a drive to a share/folder based on the user they specify. You could also redirect My Documents to the same location. Can't for the life of me think of one good reason for doing this however. As others have said, mandatory profiles are there for this. Can you tell us a bit more about exactly what it is you want to achieve?

[ChrisC]

The problem with having that system, is that people would also leave it logged on etc etc = major problems, we all know how sloppy teachers are.

Chris

[Dos_Box]

Hi Blind and welcome. I didn't get chance to say hello earlier, so there it is
As the others have said, didtch the roaming profiles as TBH they are evil, and whilst mandatory profiles are not my favorite option either it does sem to be the way to go on a short term basis. A single logon is a disaster waiting to happen, and weilding a large stick with a nail through the end is proberbly the best way of reinforcing the students ability to remember their passwords.

I think you need to look at this for further insperation:

http://www.theregister.com/odds/bofh/

[ajbritton]

didtch the roaming profiles as TBH they are evil

I wondered how long it would take before DB pitched in with the 'roaming profiles are evil' line. If only he would use IMHO instead of TBH then I wouldn't have to keep harping on about it! It's odd that lots of admins seem to work with Roaming Profiles quite happily. I know they are not the best solution for everyone, but they do work and provided they are implemented and managed in the right way (just as with ANY other system), they do what they say on the tin. There's quite a bit of info on the Wiki about setting up roaming/mandatory profiles.

For what it's worth, in My humble opinion, roaming profiles are not the right choice for students. Mandatory profiles provide a secure and manageable environment. Staff benefit from roaming profiles provided they are educated on the pitfalls.

There. I've said my piece and will not turn another thread into a profiles warzone. TTFN

[bossman]

Hi Blind
Welcome to the forum of forums.
You will find a wealth of information on here as well as conficting well defined arguments whether or not to go with roaming profiles. Well i use roaming profiles and my login times are 30-40 secs (oldest workstations) for new user logon to that workstation and if they log off and straight back in again it takes 12secs. I keep a tight grip on user profile size and average size is about 400Kbytes this gives them their desktop and my docs folders along with windows settings. I feel this is more than acceptable for students who want to spend their time and yours messing about and not truly working. Give your users the least access to everything on the network and as long as it functions to the requirements needed then everybody is happy.

As for usernames keep them simple but accountable and let them choose their own passwords no less than six and no more ten characters long (you can set this up) alphanumeric only no spaces dashes etc. Good luck with what you decide to do anyway and welcome once again to the club

[NetworkGeezer]

Hi Blind,

I think I have to agree with what most people have said. Use mandatory profiles or default profiles from NETLOGON.

The only way to do what you propose is to make the shared account a local account on each machine. That way you can also access server file shares with individual username passwords. You'd have to setup a policy to ban interacitve logons using network accounts if they PCs are on the domain. The problem is how do people change their passwords.

But ask yourself why you want to do this?
What advantage do you gain?