Its been a while. I haven’t had to install a windows only domain for such a long time (probably around 3 years). Of course, I have been keeping up with the latest developments in this strange proprietary world, and I have a small windows lab that I use for testing odds and sods.
I have started to think that maybe I’ve become too accustomed to the way things should be done. I believe that simplicity is the key to a networks success. I know I’m right here, so why does everything in the land of Microsoft disagree with me?
Lets discuss the problem, and see where I am going wrong. I have had to install a Windows 2003 server as both a domain controller, and as a file server. It is running all of the necessary offerings - DHCP, WINS, DNS etc. etc. In fact, this worked a treat, client logins were working within no time. Chuffed with this, I decided to set up group policy and create different OU’s (organisational units within the AD) for different departments/levels of user. I thought this would make setting up access and logon scripts a walk in the park.
Group policy worked, exactly how I would have expected it to have. But now I needed to set up roaming profiles (using my newly created profiles share). This is where the problems began. The company whom I have set up the network for, have 1100 users. Yep - 1100, bear in mind that only 20 are logging on at any one point - and infrastructure is not the concern of this post). Now, also bear in mind that the network manager for this network is not really a network manager, and has no experience dealing with any kind of network - all he wants to be able to do is add new users, and reset passwords when people forget them.
Resetting the passwords is a simple procedure, adding new users is not - it should be - but its not. Every time you need to add a new user, you must set the home directory manually, and also must set the profile path manually. Let me say that again :
For every user, you must set the profile path to be \\[server_name]\profiles\%USERNAME% and for the home directory, you must set the connect network drive option to drive [x]: and the path to be \\[server_name]\profiles\%USERNAME% (where [server_name] is the DNS/Netbios name of your server)
Imagine the shock, as a new systems administrator, setting this for 1,100 users. As a seasoned admin, this is no walk in the park anyway, but for a newbie administrator, with no previous experience - it is certainly rather scary/labourious/tedious/boring (delete as appropriate).
I have made the job a little simpler, by creating a dummy account with all of the settings pre-set. All the newbie admin has to do, is remember to copy the user in the current OU, and create the account that way. Of course, if he doesn’t, then all of the options will need setting manually.
So, why this rant? Well lets see.
In Samba, in order to create a link to both the home directory and the roaming profiles, I make a setting once in /etc/samba/smb.conf to look like the following:
logon path = \\[server_name]\%u\.profile
logon home = \\[server_name]\%u\.profile
logon drive = h:
Thats it. Yep, once. Let’s do the math, thats 1,099 times less to make the change.
I suppose you might wonder why this is important? Well, for instance - if something needs changing with the profile path, or the home directories, I need to make another change to each user under Windows 2003. In samba on the other hand, I make the change once and it’s set for each user globally.
I would have thought that Microsoft would have implemented such a thing as user templates at the very least. So when I set up a user in a particular OU, it would take the defaults that I have specified in my template. Unfortunatly, I could not find anything that would do this. Under linux though, I can edit the /etc/skel files and any changes I make there, are passed through to each new user. Useful, don’t you think.
Don’t get me wrong, this is not bashing Windows. This is just a suggestion for Microsoft to try and remove some of the pressure for system administrators. Especially the newbies.