I have a10 clientnetwork and am upgrading from an NT4 server (PDC) to server 2003 (also as a DC). Setting up a startup.cmd script was easy in NT4, just create it and put it in %SystemRoot%\system32\REPL\import, and you were done. With server 2003, I'm not sure what to do. My clients need to map toshares on the server and receive printer assignments based on location. I am avoiding WSH for now due to lack of familiarity and need to proceed. So, I am sticking to CMD-line scripting (I'm pretty good there). My issues are:1. Do I need to create OUs? If so, Research_ou (5), Microfilm_ou (2), and staff_ou (1), are my max needs. One server and 10 clients shouldn't need much structure.2. Creating groups would appear much like the OUs; Research_GP, Microfilm_GP, and Staff_GP. Do I need groups to drive scripts? Or OUs?3. The research PCs aremanned byusers all using the same name (e.g. Guest) so the client computer and its location govern startup actions.4. When creating groups, do I use domain local or global groups? Never been clear about where to use which. Don't need Universal groups.5. Startup scripts control Computer objects and logon scripts controll user/group objects -yes? Or, should the login script map drives on the client PCs? I would prefer that drive mapping occur during computer startup instead of user login. What is possible?6. How do GPO's fit into this scheme of things? Do I use GPO's to control scripts, OUs/domain, and/or groups? (GPOs should control groups but how they affect scripts and OUs/Domain are uncertain). If so, How? All this confusion just to map server shares and printers to my clients.7. Do I have to modify ACEs/ACLs? If so, which? Is Read and Execute enough? Maybe just Read?The more I read regarding this issue, the more confused I become. Is there a simple explanation for the use of these objects?? Where do I use: OUs/domain versus Groups, use domain local versus global groups, use scripts versus GPOs? And where/how does one fit inside of another??Bill

Hi Bill,You don't have to have OU:s. You can simply link a GPO to the domain root yourdomain.com and it will apply to all OU:s beneth unless you block inheritance. If you need to map different drives to different groups you can either use multiple GPO:s on the domain root level or, as you say, use Organizational Units to make the GPO:s clear.Groups can be used with security filtering. Just set the rights for the groups you want to be able to take advantage of the GPO.1. Read above.2. Read above.3. You can link the GPO to the domain root, and just set the User policy to map the drive, using the script. Use Logon Script.4. Universal and Global Groups can be assigned permissions in any domain. However, Global Groups can only contain members from within its own domain. Domain Local Groups can only contain members for its domain and cannot be assigned permissions in other domains. So in your case just use the default Global Security group.5. I would use the user logon to map drives. Since they are mostly dictated by user security rights. Actually never tried using computer settings to map drives so I'm not sure if it works.6. GPO:s are used for much more than mapping drives. Spend a little time in the Group policy management console and get familiar with it. Once you get a hang on it you'll never want to go back.7. The standard of a GPO is Authenticated users. So no, if you don't need anything special you don't have to modify the security filtering.MCTS: Windows Server 2008 Active Directory Configuration Blog: http://www.nixadmins.net

Hello Bill,Please see inline for response:1. Do I need to create OUs? If so, Research_ou (5), Microfilm_ou (2), and staff_ou (1), are my max needs. One server and 10 clients shouldn't need much structure.- Not necessarily. You only have 10 users... OU's not needed for drive mapping2. Creating groups would appear much like the OUs; Research_GP, Microfilm_GP, and Staff_GP. Do I need groups to drive scripts? Or OUs?- You will need groups only if you need to map drives based on users groups level..If all users are accessing the same drives, then you donot need groups. you just use the default policy3. The research PCs aremanned byusers all using the same name (e.g. Guest) so the client computer and its location govern startup actions.- You may want to consider given users actual domain ID/names ratherthan use the generic guest account which is not save and may make your network vulnerable.4. When creating groups, do I use domain local or global groups? Never been clear about where to use which. Don't need Universal groups.- Domain Local groups preferable..Read more here:http://support.microsoft.com/kb/8844175. Startup scripts control Computer objects and logon scripts controll user/group objects -yes? Or, should the login script map drives on the client PCs? I would prefer that drive mapping occur during computer startup instead of user login. What is possible?- you are correct. Startup/shutdown = computers and logon/logoff = users. Drive/share mappings are based on user permissions/access and not computer. So you will be better off using users account or groups to map drives6. How do GPO's fit into this scheme of things? Do I use GPO's to control scripts, OUs/domain, and/or groups? (GPOs should control groups but how they affect scripts and OUs/Domain are uncertain). If so, How? All this confusion just to map server shares and printers to my clients.-Yes, after you write the scripts, you will need to configure a GPO to apply the script to all users/computers.7. Do I have to modify ACEs/ACLs? If so, which? Is Read and Execute enough? Maybe just Read?- You will need to modify ACL's if you are give access to share, then give the proper access to the correct users to be able to acces the resources.The more I read regarding this issue, the more confused I become. Is there a simple explanation for the use of these objects?? Where do I use: OUs/domain versus Groups, use domain local versus global groups, use scripts versus GPOs? And where/how does one fit inside of another??Isaac Oben MCITP:EA, MCSE

Isaac, thanks for you reply. To clear up a couple points:Item 1: Actually we have 10 workstations and a couple hundred users (who come in as they desire). But, the workstations are dedicated to specific tasks and need drive and printer mapping for those tasks and their locations in the building. Based on further reading, I understand that OUs andDomains are for administrative purposes. While scripts and GPOs are for assigning resources to the user, group, or computers (resources meaning network shared drives and printers, etc). Our server/DC is a data store for 500 Gbytes on 15 network shares. Item 3: Our client stations are pretty secure and even strangers can come in and use them. Thus, the need for a guest level access without logins. The actual login is, User: Patron and password is blank. What I would like to do is lock the PC until the user enters his/her first and last names, then unlock the screen and give full access to the products we provide (something similar to FTP's anonymous logon). The user would always access our PCs as a guest (Patron) user, but by requiring them to enter first and last names we relieve them from having to sign in to a paper sheet and improves our recordkeeping about PC usage and number of guest we support. Any ideas along those lines??? Item 7: So if I understand you correctly, I need to modify permissions (ACLs) of shared drives to allow thedesired users/groups to access those shares (resources = shares, yes?). Since there are Share permissions and NTFS permissions, we are giving our desired users FULL CONTROL on the shares and Read or READ/Execute on NTFS permissions.Thanks again, Bill H.

Hello Bill,For item 1, you can implement a login script based on user's group to map drives, assign printers etc..here is a link for a free login script generator. I have used this and it work perfectly. YOu can create a group of all users that you need them to access specific workstaions and have their required drives, printers etc and then use the logon script apply to the group etc.http://www.jdhitsolutions.com/logonscriptgen/index.htmItem 3, I may suggest you assign domain login names for the users something in line of firstname.lastname and then make them login to PC to access resources.Item 7, sounds good if all users need to access those sharesIsaac Oben MCITP:EA, MCSE