Hey,

I need to set up some roaming profiles so that a user can log on, do whatever to their desktop and it won't save it when they log out. This means that everytime the user logs on the desktop is set back to normal with the program links in the start menus etc etc.

Anyone know how I would do this on a Win 2k3 domain network?

Thanks

Setup a logoff script to delete everything in their start menu/desktop and then replace it with the stuff you want there.

If you don't want them to alter the start menu or desktop at all just redirect all users desktops and start menus to the same location and deny all users write permissions.

You can do all this stuff with group policies, if you want it to apply to a certain user group then just create a new GPO and use security group filtering to limit it to those in that group.

Ah, I didn't think just denying write access would work, thanks! I'm just gunna create a profile, they can do whatever and then when they log off at the end none of it is saved.

Thanks.

Make sure to tell it not to copy the files currently in the users desktop/menu else it will fail to redirect since it can't write to it.

What I was going to do was to create a local user account on a computer on the domain, set it all up the way I want it to be then copy the profile folders over to the server's profile shares, rename the profile folder to the respective account names and then login as the domain user to test it, so it shouldn't need to write to it, correcto?

I don't see how that would prevent the user from changing the desktop/start menu though?

Well, when I copied the profiles over i'd set the permissions to disallow write access to anyone but Administrators.

Sounds like you are referring to mandatory profiles (http://technet.microsoft.com/en-us/library/cc786301.aspx)

A mandatory user profile is a preconfigured user profile. The user can still modify the desktop, but the changes are not saved when the user logs off. The next time the user logs on, the mandatory user profile is downloaded again. User profiles become mandatory when you rename the NTuser.dat file on the server to NTuser.man. This extension makes the user profile read-only.

Aha! That must be it! :D Thank you :)

Btw, +REP to both of you if I can.

This will disalow the users doing alot more than just changing the desktop/start menu though.

What like?

Any application related settings based on user accounts wont work, desktop customizations (i.e themes, backgrounds, windows explorer settings) , anything that writes to the HKEY_CURRENT_USER wont work properly to list a few.

Even better. >;]

Also, does anyone know anything about Server 2k3 downloading client updates and pushing them out across the network at a set time each week?

Well, you can deploy Windows Update patches via WSUS (Windows Server Update Services) which is a free product, although unless you have a large amount of client PCs it might just be best to ensure automatic updates are enabled and just let it do itself.

If you want to deploy programs, as long as they have a MSI installation package you can deploy them via group policy.

When it comes to antivirus updates/policy enforcing i'd highly recommend McAfee ePolicy Orchestrator (http://www.mcafee.com/uk/enterprise/products/security_management_console/epolicy_orchestrator.html). I can personally recommend this as I currently use it on my network. It integrates with Active Directory and can automatically deploy specific products to current and all newly added workstations and servers along with remote configuration of settings, schedules, reporting, etc.