Lecture 3:
Active Directory
Domain Service (AD DS)
Agenda
• Active Directory Domain Service (AD DS)
Installing and Configuring Active Directory Domain Services
Implementing a Group Policy Infrastructure
Managing User Desktop with Group Policy
Module 1
Configuring Active Directory® Domain
Services
Module Overview
• Installing Domain Controllers
• Configuring Read-Only Domain Controllers
• New Features in Group Policy
• Configuring Group Policy Preferences
Lesson 1: Installing Domain Controllers
• Requirements for Installing AD DS
• What Are Domain and Forest Functional Levels?
• AD DS Installation Process
• Advanced Options for Installing AD DS
Requirements for Installing AD DS
Requirements Description
Server • A computer running Windows Server 2008 (Web Server edition is not supported)
• Minimum disk space of 250 MB and a partitionformatted with NTFS file system
Network configuration
• TCP/IP must be configured, including DNS client settings
• DNS Server that supports dynamic updatesmust be available or will be configured on thedomain controller
AD DS Installation Permissions
• Local Administrator permissions to install thefirst domain controller in a forest
• Domain Administrator permissions to installadditional domain controllers in a domain
• Enterprise Administrator permissions to installadditional domains in a forest
What Are Domain and Forest Functional Levels?
Functional levels:
• Determine the AD DS features available in a domain or forest
• Restrict which Windows Server operating systems can berun on domain controllers in the domain or forest
Supported functional levels:
Domain Supported Domain Controller Operating Systems
Forest
Windows 2000 Server native
• Windows Server 2008
• Windows Server 2003
• Windows 2000 Server
Windows 2000
Windows Server2003
• Windows Server 2008
• Windows Server 2003
Windows Server 2003
Windows Server 2008
• Windows Server 2008 Windows Server 2008
AD DS Installation Process
Install the Active Directory Domain Services role byusing the Server Manager
1
Choose the deployment configuration 3
Select the additional domain controller features 4
Run the Active Directory Domain Services Installation Wizard (Dcpromo)
2
Select the location for the database, log files, and SYSVOL folder 5
Configure the Directory Services Restore Mode Administrator Password 6
Advanced Options for Installing AD DS
Use the advanced mode options to:
• Create a new domain tree
• Use backup media as the source for AD DS information
To access the advanced mode installation options, choose the Advanced Mode option in the Active Directory Domain Services Installation Wizard or run dcpromo /adv
• Select the source domain controller for the installation
• Modify the default domain NetBIOS name
• Define the Password Replication Policy for an RODC
Installing AD DS by Using IFM (Install From Media)
Use Ntdsutil.exe to create the installation media
Ntdsutil.exe can create the following types of installation media:
• Full (or writable) domain controller
• Full (or writable) domain controller with SYSVOL data
• Read-only domain controller with SYSVOL data
• Read-only domain controller
Upgrading to Windows Server 2008 AD DS
To prepare previous versions of Active Directory for a Windows Server 2008 domain controller installation:
Current Version Before Installing Command
Windows 2000 Server or Windows Server 2003
• Windows Server 2008 domain controllers
• Must be run before other Adprep commands
adprep /forestprep
Windows 2000 Server
• Windows Server 2008 domain controllers
adprep /domainprep /gpprep
Windows Server 2003
• Windows Server 2008 domain controllers
adprep /domainprep
Windows Server 2003
• Windows Server 2008 RODCs
adprep /rodcprep
Lesson 2: Configuring Read-Only Domain Controllers
• What Is a Read-Only Domain Controller?
• Read-Only Domain Controller Features
• What Are Password Replication Policies?
What Is a Read-Only Domain Controller?
RODCs host read-only partitions of the AD DS database, only accept replicated changes to Active Directory, and never initiate replication
RODCs:
• Cannot hold operation master roles or be configured as replication bridgehead servers
• Can be deployed on servers running Windows Server 2008 Server Core for additional security
RODCs provide:
• Additional security for branch office with limited physical security
• Additional security if applications must run on a domain controller
RODC
Read-Only Domain Controller Features
RODCs provide:
• Unidirectional replication
• Credential caching
• Administrative role separation
• Read-only DNS
• RODC filtered attribute set
What Are Password Replication Policies?
• The password replication policy determines how the RODC performs credential caching for authenticated user
• By default, the RODC does not cache any user credentials or computer credentials
• No credentials cached
• Enable credential caching on an RODC for specified accounts
Options for configuring password replication policies:
• Add users or groups to the Domain RODC PasswordAllowed group so that credentials are cached on all RODCs
Lesson 3: New Features in Group Policy
• New Group Policy Settings
• What Are Multiple Local Group Policies?
New Group Policy Settings
There are approximately 700 new settings available
New settings : New categories:
• Antivirus
• Client Help
• Deployed Printer Connections
• Internet Explorer 7
• Wireless Configuration
• Terminal Services
• Windows Error Reporting
• Removable storage device management
• Power management
• User Account Control
• Network Access Protection
• Windows Defender
• Windows Firewall with Advanced Security
What Are Multiple Local Group Policies?
• One layer of computer configurations that applies to all users
• Layers apply only to individual users, not to groups
• There are three layers of user configurations:
• Administrator
• Non-Administrator
• User-specific
Lesson 4: Configuring Group Policy Preferences
• What Are Group Policy Preferences?
• Difference Between Group Policy Preferences and Settings
• Group Policy Preference Features
What Are Group Policy Preferences?
Group Policy preferences expand the range of configurable settings within a GPO and:
• Are not enforced
• Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable using Group Policy
Difference Between Group Policy Preferences and Settings
Group Policy Preferences Group Policy Settings
Are written to the normal locations in the registry that the application or operating system feature uses to store the setting.
Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify.
Do not cause the application or operating system feature to disable the user interface for the settings they configure.
Typically disable the user interface for settings that Group Policy is managing.
Refresh preferences by using the same interval as Group Policy settings by default.
Refresh policy settings at a regular interval.
Are not available on local computers.
Are available through local Group Policy.
Group Policy Preference Features
Used to configure additional
options that control the
behavior of a Group Policy
preference item
Common Tab Targeting Features
Determines to which users and
computers a preference
item applies
Module 2Implementing a Group
Policy Infrastructure
Module Overview
• Understand Group Policy
• Implement GPOs
• Manage Group Policy Scope
• Group Policy Processing
• Troubleshoot Policy Application
Lesson 1: Understand Group Policy
• What Is Configuration Management?
• Overview of Policies
• Benefits of Using Group Policy
• Group Policy Objects
• GPO Scope
• Group Policy Client and Client-Side Extensions
• Group Policy Refresh
• Review the Components of Group Policy
What Is Configuration Management?
• A centralized approach to applying one or more changes to one or more users or computers
• Group Policy: The framework for configuration management in an AD DS domain
Setting: Definition of a change or configuration
Scope: Definition of the users or computers to which the change applies
Application: A mechanism that applies the setting to users and computers within the scope
Tools for management, configuration, and troubleshooting
What Is Group Policy?
Use Group Policy to:
• Apply standard configurations
• Deploy software
• Enforce security settings
• Enforce a consistent desktop environment
Group Policy enables IT administrators to automate one-to-many management of users and computers
Local Group Policy is always in effect for local and domain users and local computer settings
Group Policy Settings
• Software
• Windows
• Security
• Operating systems
Group Policy settings for computers control thesesettings:
• Software
• Windows
• Security
• Desktop
Group Policysettings for users controlthese settings:
How Group Policy Is Applied
Computer starts
• Computer settings applied
• Startup scripts run
Refresh Interval
User logs on
• User settings applied
• Logon scripts run
Refresh Interval
Every 90 minutes
Every 90 minutes
Overview of Policies
• The granular definition of a change or configuration
Prevent access to registry-editing tools
Rename the Administrator account
• Divided between
User Configuration ("user policies")
Computer Configuration("computer policies")
• Define a setting
Not configured (default)
Enabled
Disabled
Benefits of Using Group Policy
• Apply security settings
• Manage desktop and application settings
• Deploy software
• Manage folder redirection
• Configure network settings
Group Policy Objects
• Container for one or more policy settings
• Managed with the GPMC
• Stored in Group Policy Objects container
• Edited with the GPME
• Applied to a specific level in AD DS hierarchy
GPO Scope
• Scope
Definition of objects (users or computers) to which GPO applies
• GPO Links
GPO can be linked to multiple sites, domain, or organizational unit (OU) (SDOU)
GPO link(s) define maximum scope of GPO
• Security Group Filtering
Apply or deny application of GPO to members of global security group
Filter application of scope of GPO within its link scope
• WMI Filtering
Refine scope of GPO within link based on WMI query
• Preference Targeting
Group Policy Client and Client-Side Extensions
• How GPOs and their settings are applied
• Group Policy Client retrieves ordered list of GPOs
• GPOs are downloaded, and then cached
• Components called CSEs process the settings to apply the changes
One for each major category of policy settings: Security, registry, script, software installation, mapped drive preferences, and so on
Most CSEs apply settings only if the GPO as a whole has changed
• Improves performance
• Security CSE applies changes every 16 hours
GPO application is client driven ("pull")
Group Policy Refresh
• When GPOs and their settings are applied
• Computer Configuration
Startup
Every 90-120 minutes
Triggered: GPUpdate command
• User Configuration
Logon
Every 90-120 minutes
Triggered: GPUpdate command
Lesson 2: Implement GPOs
• Local GPOs
• Domain-Based GPOs
• Demonstration: Create, Link, and Edit GPOs
• GPO Storage
• Manage GPOs and Their Settings
Local GPOs
• Apply before domain-based GPOs
Any setting specified by a domain-based GPO will override the setting specified by the local GPOs.
• Local GPO
One local GPO in Windows 2000 Server, Windows XP, Windows Server 2003
Multiple local GPOs in Windows Vista and later
• Local GPO: Computer settings and settings for all users
• Administrators GPO: Settings for users in Administrators
• Non-administrators GPO: Settings for users not in Admins
• Per-user GPO: Settings for a specific user
• If domain members can be centrally managed using domain-linked GPOs, in which scenarios might local GPOs be used?
Domain-Based GPOs
• Created in Active Directory, stored on domain controllers
• Two default GPOs
Default Domain Policy
• Define account policies for the domain: Password, account lockout, and Kerberos policies
Default Domain Controllers Policy
• Define auditing policies for domain controllers and Active Directory
GPO Storage
• Separate replication mechanisms
GPO
• Stored in AD DS• Friendly name, globally unique
identifier (GUID)• Version
GPC
• Stored in SYSVOL on domain controllers (DCs)
• Contains all files required to define and apply settings
• .ini file contains Version
GPT
• What we call a GPO is actually two things, stored in two places
Manage GPOs and Their Settings
• Copy and Paste into a Group Policy Objects container
Create a new "copy" GPO and modify it
Transfer a GPO to a trusted domain, such as test-to-production
• Back Up all settings, objects, links, permissions (access control lists [ACLs])
• Restore into same domain as backup
• Import Settings into a new GPO in same or any domain
Migration table for source-to-destination mapping of UNC paths and security group names
Replaces all settings in the GPO – not a "merge"
• Save Report
• Delete
• Rename
Lesson 3: Manage Group Policy Scope
• GPO Links
• Group Policy Processing Order
• GPO Inheritance and Precedence
• Use Security Filtering to Modify GPO Scope
• WMI Filters
• Enable or Disable GPOs and GPO Nodes
• Target Preferences
• Loopback Policy Processing
GPO Links
• GPO link
Causes policy settings in GPO to apply to users or computerswithin that container
Links GPO to site, domain, or OU (SDOU)
• Must enable sites in the GPM console
GPO can be linked to multiple sites or OUs
Link can exist but be disabled
Link can be deleted, but GPO remains
Group Policy Processing Order
Site
Domain
OUOU
OU
GPO2
GPO3
GPO4
GPO5
GPO1
Local Group
Computer DUser D
Computer BUser B
Computer CUser C
ComputerUser E
BusinessOU
Employees Groups Clients
Computer D+B+CUser D+B+E
Domain
Computer DUser D
Computer BUser B
Computer CUser C
ComputerUser E
BusinessOU
Employees Groups Clients
Domain
Block Inheritance
Computer B+CUser B+E
Computer DUser D
Computer BUser B
Computer CUser C
ComputerUser E
BusinessOU
Employees Groups Clients
Domain
Block Inheritance
SecurityComputer SUser S
Enforced
Computer B+C+SUser B+E+S
GPO Inheritance and Precedence
• The application of GPOs linked to each container results in a cumulative effect called inheritance
Default Precedence: Local Site Domain OU OU… (LSDOU)
Seen on the Group Policy Inheritance tab
• Link order (attribute of GPO Link)
Lower number Higher on list Precedent
• Block Inheritance (attribute of OU)
Blocks the processing of GPOs from above
• Enforced (attribute of GPO Link)
Enforced GPOs “blast through” Block Inheritance
Enforced GPO settings win over conflicting settings in lower GPOs
Use Security Filtering to Modify GPO Scope
• Apply Group Policy permission
GPO has an ACL (Delegation tab Advanced)
Default: Authenticated Users have Allow Apply Group Policy
• Scope only to users in selected global groups
Remove Authenticated Users
Add appropriate global groups
• Must be global groups (GPOs don’t scope to domain local)
• Scope to users except for those in selected groups
On the Delegation tab, click Advanced
Add appropriate global groups
Deny Apply Group Policy permission
Does not appear on the Delegation tab or in filtering section
WMI Filters
• Create a WMI filter
• WQL
Similar to T-SQL
Select * FROM Win32_OperatingSystem WHERE
Caption="Microsoft Windows XP Professional" AND
CSDVersion="Service Pack 3"
• Create a WMI filter
• Use the filter for one or more GPOs
Enable or Disable GPOs and GPO Nodes
• GPO Details tab GPO Status drop-down list
• Enabled: Both Computer Configuration and User Configuration settings will be applied by CSEs
• All settings disabled: CSEs will not process the GPO
• Computer Configuration settings disabled: CSEs will not process settings in Computer Configuration
• User Configuration settings disabled: CSEs will not process settings in User Configuration
Target Preferences
• Targeting within a GPO
Scope = scope of GPO
+scope of targeting
Only possible withpreferences
• Multiple options
• Test effect
• Test performanceimpact
Loopback Policy Processing
• At user logon, user settings from GPOs scoped to computer object are applied
Create a consistent user experience on a computer
Conference rooms, kiosks, computer labs, VDI, RDS, and so on
• Computer Configuration\Policies\Administrative Templates\System\Group Policy
User Group Policy loopback processing mode
• Replace mode
User gets none of the User settings that are scoped to the user and gets only the User settings that are scoped to computer
• Merge mode
User gets the User settings scoped to the user, but those settings are overlaid with User settings scoped to the computer. The computer settings prevail.
•
ReplaceComputer B+KUser B+K
Computer BUser B
Computer CUser
LoopbackComputer KUser K
ComputerUser E
BusinessOU
Employees Groups Clients Kiosks
Computer B+CUser B+E
MergeComputer B+KUser E+B+K
Lesson 4: Group Policy Processing
• Detailed Review of Group Policy Processing
• Slow Links and Disconnected Systems
• Identify When Settings Take Effect
Detailed Review of Group Policy Processing
1. Computer starts; RPCSS and MUP are started
2. Group Policy Client starts and obtains an ordered list of GPOs that are scoped to the computer
• Local Site Domain OU Enforced GPOs
3. GPC processes each GPO in order
• Should it be applied? (enabled/disabled/permission/WMI filter)
• CSEs are triggered to process settings in GPO
• Settings configured as Enabled or Disabled are processed
4. User logs on
5. Process repeats for user settings
6. Every 90-120 minutes after startup, computer refresh
7. Every 90-120 minutes after logon, user refresh
Slow Links and Disconnected Systems
• Group Policy Client determines whether link to domain should be considered slow link
By default, less than 500 kilobits per second (kbps)
Each CSE can use determination of slow link to decide whether it should process
• Software CSE, for example, does not process
• Disconnected
Settings previously applied will continue to take effect
Exceptions include startup, logon, logoff, and shutdown scripts
• Connected
Windows Vista and newer operating systems detect new connection and perform Group Policy refresh if the refresh window was missed while the system was disconnected
Identify When Settings Take Effect
• GPO replication must happen
GPC and GPT must replicate
• Group changes must be incorporated
Logoff/logon for user; restart for computer
• Group Policy refresh must occur
Windows XP, Windows Vista, and Windows 7 clients
Always wait for network at startup and logon
• User must logoff or logon or the computer must restart for the settings to take effect
• Manually refresh: GPUpdate [/force] [/logoff] [/boot]
• Most CSEs do not reapply settings if GPO has not changed
Configure in Computer\Admin Templates\System\Group Policy
Lesson 5: Troubleshoot Policy Application
• Resultant Set of Policy
• Generate RSoP Reports
• Perform What-If Analyses with the Group Policy Modeling Wizard
• Examine Policy Event Logs
Resultant Set of Policy
• Inheritance, filters, loopback, and other policy scope and precedence factors are complex
• RSoP
The "end result" of policy application
Tools to help evaluate, model, and troubleshoot the application of Group Policy settings
• RSoP analysis
The Group Policy Results Wizard
The Group Policy Modeling Wizard
GPResult.exe
Generate RSoP Reports
• Group Policy Results Wizard
Queries WMI to report actual Group Policy application
• Requirements
Administrative credentials on the target computer
Access to WMI (firewall)
User must have logged on at least once
• RSoP report
Can be saved
View in Advanced mode
• Shows some settings that do not show in the HTML report
• View Group Policy processing events
• GPResult.exe /s ComputerName /h filename
Perform What-If Analyses with the Group Policy Modeling Wizard
• Group Policy Modeling Wizard
Emulates Group Policy application to report anticipated RSoP
Can be used prior to GPO application
Recommended in Group Policy design phase
Examine Policy Event Logs
• System log
High-level information about Group Policy
Errors elsewhere in the system that could impact Group Policy
• Application log
Events recorded by CSEs
• Group Policy Operational log
Detailed trace of Group Policy application
Module 3
Managing User Desktop withGroup Policy
Module Overview
•Implement Administrative Templates
•Configure Group Policy Preferences
•Manage Software with GPSI
•Folder Redirection
Lesson 1: Implement Administrative Templates
• What Are Administrative Templates?
• How Administrative Templates Work
• Managed Settings, Unmanaged Settings, and Preferences
• Central Store
What Are Administrative Templates?
.ADMX
.ADML Registry
How Administrative Templates Work
• Policy settings in the Administrative Templates node make changes to the registry
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegeditMode
• 1–Regedit UI tool only
• 2–Also disable regedit /s
Central Store
• .ADM files
Stored in the GPT
Leads to version control and GPO bloat problems
• .ADMX/.ADML files
Retrieved from the client
Problematic if the client doesn't have the appropriate files
• Central Store
Create a folder called PolicyDefinitions on a DC
• Remotely: \\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions
• Locally: %SystemRoot%\SYSVOL\contoso.com\Policies\PolicyDefinitions
Copy .ADMX files from your %SystemRoot%\PolicyDefinitions
Copy .ADML file from language-specific subfolders (such as en-us)
Lesson 2: Configure Group Policy Preferences
• What Are Group Policy Preferences?
• Differences Between Group Policy Preferences and Settings
What Are Group Policy Preferences?
Group Policy preferences expand the range of configurable settings within a GPO and:
Features of Group Policy Preferences:
• Are not enforced
• Enable IT pros to configure, deploy, and manage operating system and application settings that were not manageable by using Group Policy
• Create: Create a new item on the targeted computer
• Delete: Remove an existing item from the targeted computer
• Replace: Delete and re-create an item on the targeted computer
• Update: Modify an existing item on the targeted computer
Differences Between Group Policy Preferences and Settings
Group Policy Preferences Group Policy Settings
Are written to the normal locations in the registry that the application or operating system feature uses to store the setting
Strictly enforce policy settings by writing the settings to areas of the registry that standard users cannot modify
Do not cause the application or operating system feature to disable the user interface for the settings they configure
Typically disable the user interface for settings that Group Policy is managing
Refresh preferences by using the same interval as Group Policy settings by default
Refresh policy settings at a regular interval
Are not available on local computers
Are available through local Group Policy
Lesson 3: Manage Software with GPSI
• Understand GPSI
• Software Deployment Options
• Create and Scope a Software Deployment GPO
• Maintain Software Deployed with GPSI
• GPSI and Slow Links
Understand GPSI (Group Policy Software Installation)
• Client-side extension (CSE)
• Installs supported packages
Windows Installer packages (.msi)
• Optionally modified by Transform (.mst) or patches (.msp)
• GPSI automatically installs with elevated privileges
Downlevel application package (.zap)
• Supported by “publish” option only
• Requires user to have admin privileges
System Center Configuration Manager and other deployment tools can support a wider variety of installation and configuration packages
• No “feedback”
No centralized indication of success or failure
No built-in metering, auditing, license management
Software Deployment Options
• Software deployment options
Assign application to users
• Start menu shortcuts appear
- Install-on-demand
• File associations made (optional “Auto Install”)
- Install-on-document invocation
• Optionally, configure to install at logon
Publish application to users
• Advertised in Programs And Features (Control Panel)
- Install-on-request
Assign to computers
• Install at startup
Preparation
1
Options for Deploying and Managing Software Using Group Policy
Deployment
1.0
2
Maintenance
2.0
3
Removal
4
How Software Distribution Works
Windows Installer
Windows Installer service
Fully automates the software installation and configuration process
Modifies or repairs an existing application installation
Windows Installer package contains
Information about installing or uninstalling an application
An .msi file and any external source files
Summary information about the application
A reference to an installation pointBenefits of
Using
Windows
Installer
Custom installations
Resilient applications
Clean removal
Software Distribution Point
Options for Installing Software
Publish software using document activation
?
Publish software using Add or Remove Programs
Assign softwareduring Computer Configuration
Assign software during User Configuration
Maintaining Software Using Group Policy
Mandatory upgrade
Users can use only the upgraded version
Optional upgrade
Users can decide when to upgrade
Selective upgrade
You can select specific users for an upgrade
2.0
1.02.0
2.0
1.0
Deploy next version of the application
2.0
Create and Scope a Software Deployment GPO
• Computer [or User] Configuration \ Policies \ Software Settings \ Software Installation
Right-click New Package
Browse to .msi file through network path (\\server\share)
Choose deployment option(Recommended: Advanced)
• Managing the scope of asoftware deployment GPO
Typically easiest to manage withsecurity group filtering
Create an app group such as APP_XML Notepad
Put users into the group: allows users to access software share in the event that repairs or reinstalls are necessary
Put computers into the group if assigning to computers
Maintain Software Deployed with GPSI
• Redeploy application
After successful install, client will not attempt to reinstall app
You might make a change to the package
Package All Tasks Redeploy Application
• Upgrade application
Create new package in same or different GPO
Advanced Upgrades Select package to upgrade
Uninstall old version first; or install over old version
• Remove application
Package All Tasks Remove
Uninstall immediately (forced removal) orPrevent new installations (optional removal)
Don’t delete or unlink GPO until all clients have applied setting
GPSI and Slow Links
• The Group Policy Client determines whether the domain controller providing GPOs is on the other side of a slow link
Less than 500 kbps by default
• Each CSE uses the “slow link” determination to decide whether to process
By default, GPSI does not process over a slow link
• You can change slow link processing behavior of each CSE
Computer Configuration\Policies\Administrative Templates\System\Group Policy
• You can change the slow link threshold
Computer [or User] Configuration\Policies\Administrative Templates\System\Group Policy
What Is Folder Redirection?
Folder redirection allows folders to be located on a network server, but appear as if they are located on the local drive
The folders that can be redirected are:
• My Documents (Documents in Windows® Vista)
• Application Data (AppData in Windows Vista)
• Desktop
• Start Menu
• Contacts
• Downloads
• Favorites
• Searches
• Links
Extra folders that can be redirected in Windows Vista are:
Folder Redirection Configuration Options
AccountingUsers
AccountsN-Z
AccountsA-M
AccountingManagers
Anne
Misty
• Use basic Folder Redirection when all users save their files to the same location
• With advanced Folder Redirection, the server hosting the folder location is based on group membership
• Target folder location options:
• Redirect to the users’ home directory
• Create a folder for each user under the root path
• Redirect to the following location
• Redirect to the local userprofile location
Options for Securing Redirected Folders
Full control - subfolders and files only
Administrator
Security group of users that put data on share
Local System
Creator/Owner
• None
• List Folder/Read Data, Create Folders/Append Data - This Folder Only
• Full control
NTFS permissions for root folder
Full control - subfolders and files onlyCreator/Owner Security group of users that put data on share
• Full control
Share permissions for root folder
%Username% • Full control, owner of folder
• None
• Full Control
NTFS permissions for each users’ redirected folder
Administrators
Local system
Full control - subfolders and files onlyCreator/Owner
©2009 Microsoft, Microsoft Dynamics, the Office logo, and Your potential. Our passion. are trademarks of the Microsoft group of companies. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.