[Enforced Paths]

Anyone ?

[Prevent Access]

Thanks for the response(s), Memnoch, Fizban2.

Let me explain the current scenario... Most of the work is on Ms-Office. User need to access/modify/save document that are on a network drive on the server. However, often the users access the documents from the network drive, but save the documents on their local PC, mostly on C:\. I want to make sure that the user cannot save any data on their local PCs. However, I want the system and applications to be able to save files such as temp files, etc.

Fizban2, which GPO would restrict installation of .exe, msi etc ?

[Prevent Access]

don't give your users admin rights, that will stop the installation issue, saving things to there local computer would require you to do something like setup roaming profiles or redirect there docs and folders to a server location and then limit there access to the windows drive

Hi Fizban2,

Thanks for the quick response...

Ofcourse, none of the end-user have admin rights. However, they're still able to download certain programs from the net and install them. How does one prevent it completely.

Yes, we've already implemented roaming profiles. I would like to prevent users from saving any data onto their local drives. What would the exact procedure be ?

[Enforced Paths]

Hi,

What exactly are ENFORCED PATHS, and how do I implement it on a Windows 2003 server Windows XP network enviroment ?

[Looking for an INTER-OFFICE IM solution that would not allow a connect]

There are plenty of FREE software available, that'll allow you to chat on your LAN. Could you try either InterChat, QuickMessenger, SendRec etc.

[Prevent Access]

Hi,

We have a network comprising of 1 multi-purpose Windows 2003 server with 25 Windows XP client PCs.

What is the best way to prevent users from Installing any type of software/program/application on their PCs ? I guess it would have to be through Group Policies (?)

How do I prevent users from downloading any type of oftware/program/application from the internet.

Lastly, how do I prevent users from saving any file on any drive on their local PC ?

I need to know this as soon as possible.... thanks

[Remote users]

Yep,

Thats what I'm gonna do.

[Remote users]

Hi Fizban,

Solved the problem regarding the remote password changing.

I just realised that when you press CTRL+ALT+DEL to change the password, you can enter a domain name and then change it. I tried it and it works

Thank !!

[Remote users]

In the GPO of the Domain, the password is set to expire every 30 days.

Can I tick the "Password Never Expires" option for the remote user's account, under Active Directory Services? Will that work ?

[Cannot browse my domain]

Hi,

I take into consideration that you have added the computers as Domain Members. If everything else is fine, then it might be a per seat licensing issue.

[Remote users]

Thanks a ton Fizban. I really appreciate all the help.

Yes, I realised that the remote users will not be able to change their password. However, is there a round-about way to allowing them to change their password remotely ? I mean, a tool or a script, etc ?

[Remote users]

Hi Fizban,

Here's what I finally did ....

(1) I did not attach the laptop to the Domain

(2) Created a local limited user account for the user whos going to use the laptop.

(3) Created a VPN connection for the user..

Now, if the user wants to connect remotely, he/she will first connect to our network via VPN. Once the user VPN authentication is successful, then the user will have to enter the UNC path of the file/folder that he/she wants to access. For example : Start - Run -> \\<servername>\<Shared Foldername>\. When the user enters the UNC he/she will get a prompt to enter the Domain Login name and password. If the user enters a valid ID and password, he/she can access that resource.

Is this a good way of accessing remotely ?

Now, what is the user needs to change his/her Domain password remotely ? How can that be accomplished ?

[Remote users]

Yes, I understand the issue with the roaming profiles. However, I just mentioned this step cause to told me to do so :

by logging onto the domain once with the laptop, with a computer local domain account you create a local cache of user information that goes with the laptop, try this with a laptop, join it to the domain and the logon with your account, or a account that will create a local profile on the PC. make sure that you can connect to so network rescource and that network access seems to be good. log of the domain and unplug your network cable, now try logging onto the domain, you should be to log onto the laptop with the domain account while not of the network. by logging on this way then logging onto the VPN, the user will use their network credentials when trying to hit network resoucres (exchange, webpages, sharepoint pages, etc)

Also, where should I make the GPO changes, on the DC or on the local laptop ?

[Remote users]

Anyone ??

[How to identify OS version remotely?]

The easiet way would be to to try MSINFO32 /computer ComputerName

[Remote users]

Hi Fizban,

Thanks for the help, m8.

Ok, now I understand what you're trying to say. Is there anyway to Sync the passwords ? Will this synchronisation scenario arise only if the password changes, either on the main AD or the profile on the laptop ? Is there any way to sync the passwords ?

Also, the caching should be enabled in the GPO of the Domain, and not the local GPO of the laptop, right ?

Another thing is .... what if the remote user logs off while connected remotely via VPN ? I ask this cause usually when a user logs off the domain the local user-profile is synced with the user's roaming profile on the server. So, if the user logs off the domain while still being connected to the VPN, will the profiles be synced over the internet ?

Based on what you suggested ,here's what I am gonna do :

(1) Change the GPO (On the domain or the laptop) to allow caching of logins

(2) Join the laptops to the Domain

(3) Let the user log onto the laptop in, with his/her Domain account, so that the roaming profile is loaded onto the laptop.

(4) disconnect the laptop from the network.

(5) Check whether the user can log onto the laptop with the Domain profile.

Are these above steps correct ? If yes, should I let the laptop still be a member of the domain ?, or should I change the MEMBER OF settting on the latop back to WORKGROUP ?

Sorry for the gazzilion questions.

Thanks, once again.

[Remote users]

This is where the local profile on the laptop come into play, by having the users use local profiles on the laptops they effectively cache their profile and logon for the domain on the laptop, this will them to log onto their domain account even while not on the domain, at this point they can connect to the VPN and then become connected to the domain, Since they logged into their laptop with their domain credentials already, once they have logged onto the domain they have effectively connect and authenticated to the domain. several downfalls to this method, password syncronization becomes an issue(the cached password and the AD password become unsynced(one is different then the other or at least AD thinks so) not so hard to fix. GPO's and Logon scripts will not fire like when a user normally logs on to the domain since that time has passed, if you are using a logon script there should be place to fire that off after they are connected to the VPN, if all that the users need are some drives mapped, then a simple batch file should suffice. if you want to get fancy, logon script would be the way to go.

Hi Fizban,

I don't understand. If they log onto the laptop locally, how can they be logged onto the domain credential alerady. Can you explain the whole thing in a better way ?

Thanks

[System State Restore]

Is your physical HDD an IDE, and have you selected the Virtual VMWARE HDD as SCSI ?

[Remote users]

anyone ??

[[HowTo] Keep windows Xp Secure and Running Fast]

Hi,

If we're talking securing Windows XP, I feel it's important to mention services. Certain services cause security holes. It's a good thing to disable certain services. This would not only increase security but would also help speed up the comp to a certain extent. Check out http://theeldergeek.com/services_guide.htm#Services

Another sure-shot way of increasing speed and stability is to disable un-necessary startup programs. Use, MSCONFIG or REGISTRY.

[Windows 2003 & Active Directory]

Hi,

This is more of a question than an answer ....

Would a SPLIT DNS resolve this issue ?

[Remote users]

Hi,

Thanks to all you guyz for yer help. I probably sound like a lame sysadmin. That's cause I've just started working on live Windown server plathform only since the past 4-5 months or so.

Fizban2, I checked out the links. They're quite useful.

A few more questions :

How do I make sure that the remote users can log into our network & Domain only from the laptop provided by the company, and no other PC ? What would be the different methods of doing this at no extra cost ?

Also, once the user gains access into our physical network by authenticating on the VPN server (Which is also the Watchguard Firewall), how do I present him with the log in screen for access to the domain ?

[Remote users]

Hi Jim,

Thanks for yer help n suggestions.

IAS ? do you mean ISA ? If yes then, we have not implemented ISA.

Also, how is a slow-link determined by the server ? What is the user logs in through a 1mbps line ?

Also, if the user access the internet (surfing, emails etc) after logging onto our network via VPN, does he/she utilize our internet bandwidth too ?

[Remote users]

For my last response, please read the post before this one.

[Remote users]

Hi guyz,

Once again, thanks for your suggestions

I think that having the VPN authenticate the remote users before having the Domain Authenticate them provides an extra layer of security.

First the remote user logs onto his laptop using a non-administrative local profile. The Local group policy set on the laptop will be applicable. Then he dials into the network using his VPN loginID & password. Once he is authenticated by the VPN server (In this case the Watchguard X500 firewall), he is presented with the usual interactive login screen (Ctrl Alt Del screen) through which he logs onto the Domain. We're not too keen on the Win2003 Domain Controller server acting as the VPN sever, since it's already acting as a DNS, DHCP, file, print server.

Ideally, we want the remote users to be authenticated on Domain, using their existing accounts. However, we don't want their roaming profile to be downloaded each time they authenticate.

Is the above possible ? If yes, is it a good implementation ?