2

Something I was kinda wondering about.

First, Is it wise to use a roaming profile for a Domain Admin account?

Second, Where should it be stored? I would think storing it on the file server with the other profiles would not be good in case the server is not available.

Any insight would be helpful.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
AtomicPorkchop
  • 1,975
  • 8
  • 34
  • 55

3 Answers3

3

If you absolutely feel your convenience is more important to you than what you will be trading it for you can set up a roaming profile for the domain admin account in exactly the same way you do for any other user. Do it through ADUC, as you would any other account settings.

Your concern about the server hosting the profile being unavailable is unwarranted. Once you have logged onto any machine with that account the profile will be copied to it and the local copy will be used if the server is unavailable.

Of course there should be precious little in your profile to be copied. Ideally an admin's profile will be as close to empty as you can make it. That helps to keep things clean, stable and secure.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
  • Yeah mainly I just wanted the profile to have the simple things changed in it. The way the start menu is, the color of the background.. etc. – AtomicPorkchop Mar 26 '11 at 02:59
2

Since you shouldn't really be logging into anything as domain admin except in certain circumstances, there's really no good reason to give it a roaming profile. That account is the keys to the kingdom, the less you mess with it, the better.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Well I am using it to configure a bunch of new VMs and I wanted all of the profiles to be as identical as possible. – AtomicPorkchop Mar 24 '11 at 01:40
  • 1
    If you're saying that comfort - i.e. your personal preferences for desktops, which seems to be what you're getting at here - is more important to this environment than security, then go for it. DA accounts should not be used for day to day activities. – TristanK Mar 24 '11 at 02:04
  • @Solignis: If that's the case then put together a checklist of the profile settings you want and follow the checklist on each server. – joeqwerty Mar 24 '11 at 02:41
  • I pretty much thought about this further and also put it into effect and was not happy with the results and quickly removed it. Was pretty much a waste of my time. – AtomicPorkchop Mar 26 '11 at 03:00
2

If you just want all the profiles to be the same when a new user logs in you can do a couple of things. First, you can create a GPO and apply it to all users that configures the profiles in the same way. When a user first logs in for the first time, they get their profile setup the same way.

The second thing you can do is create a default profile that is configured they way you want then for any new profile that is created, it will give it the default profile to start with.

If you want to propagate the default profile across the VM's, you can include it in the image you are deploying with or you can copy it over after the OS is deployed.

BoxerBucks
  • 1,374
  • 1
  • 9
  • 19