windows 10 client: use symbolic links for Desktop, Documents and Downloads folders pointing to H: because the default install of https://www.linuxmuster.net/de/home/ uses local profile folders and network drive H: as home directory. The approach below creates this redirection of Desktop, Documents and Downloads semi automatically: all settings are made on the domain controller; if the user global-admin logs on to a workstation the symbolic links of all users which have already logged on to this workstation are created.

manage gpo by installing rsat on windows 10 (gpo and ad tools) with powershell:
Get-Command -Noun WindowsCapability
Get-WindowsCapability -Name RSAT* -Online
Get-WindowsCapability -Name RSAT* -Online | Select-Object -Property DisplayName, State
Get-WindowsCapability -Name RSAT.A* -Online | Add-WindowsCapability -Online
Get-WindowsCapability -Name RSAT.Group* -Online | Add-WindowsCapability -Online

use logon and logoff scripts (builtin gpo object sophomorix:default:school defines scripts at /var/lib/samba/sysvol/default-school/custom/windows/; create additional gpo object at global/management: sophomorix:global:management to define logon/logoff scripts for user global-admin)
User/Policies/Windows/Scripts

h: drive letter is mapped to home directory in linuxmuster, thus use
mklink /d Desktop H:\Desktop (same for Documents and Downloads). mklink requires either admin rights (elevated command prompt) or gpo policy for global-admin to allow creation of symbolic links.
Computer/Policies/Windows/Security/Local/User settings/create symbolic links

  • user scripts of normal user:
    • create H:\Desktop (same for Documents, Downloads)
    • robocopy content to H:
    • rename Desktop to Desktop.bak when logged off
      (until folder Desktop has been replaced by symlink Desktop)
    • give global admin access to main user folder
    • if symlink does not yet exist, copy content from H:\Desktop to Desktop during logon
  • logon script of global-admin
    • create symlink
  • startup script
    • truncate log file
@echo off
rem called by gpo object in schools/default-school (builtin)
rem User/Policies/Windows/Scripts
rem ################################################################
rem #          Run custom Logon-Script                             #
rem ################################################################
echo logon.bat %USERNAME% start >>c:\tmp\log.txt
if %USERNAME%==global-admin goto :ADMIN
C:
cd \Users\%USERNAME%
rem for %%d in (Videos) do (
for %%d in (Desktop Documents Downloads) do (
 if exist %%d (
  dir |find "%%d" |find "SYMLINKD"
  if not errorlevel 1 (
   if exist %%d.bak (
    if not exist H:\%%d mkdir H:\%%d
    robocopy %%d.bak H:\%%d /e /copy:DATSO /r:1 /w:3
    if not errorlevel 9 (
      attrib -r %%d.bak
      ren %%d. %%d.unused
      attrib -r -h -s %%d.unused\* /s /d
      rd %%d.unused /s /q
    ) else (
      attrib -r %%d.bak
      ren %%d.bak %%d.unused
      attrib -r -h -s %%d.unused\* /s /d
    )
   )
  ) else (
   if exist %%d.bak (
    robocopy %%d.bak %%d /e /copy:DATSO /r:1 /w:3
    attrib -r %%d.bak
    attrib -r -h -s %%d.bak\* /s /d
    rd %%d.bak /s /q
    if exist %%d.bak ren %%d.bak %%d.error
   )
   if exist H:\%%d robocopy H:\%%d %%d /e /copy:DATSO /r:1 /w:3
  )
 ) else (
   if exist %%d.bak (
    ren %%d.bak %%d
   ) else (
    mkdir %%d
   )
   if exist H:\%%d robocopy H:\%%d %%d /e /copy:DATSO /r:1 /w:3
 )
)
goto :ENDE
:ADMIN
:ENDE
@echo off
rem called by gpo object in schools/default-school (builtin)
rem User/Policies/Windows/Scripts
rem ################################################################
rem #          Run custom Logoff-Script                            #
rem ################################################################
echo logoff.bat %USERNAME% start >>c:\tmp\log.txt
if %USERNAME%==global-admin goto :ADMIN
C:
cd \Users\%USERNAME%
icacls \Users\%USERNAME% |find "global-admin" |find "(F)"
if errorlevel 1 (icacls \Users\%USERNAME% /grant "linuxmuster\global-admin":"(NP)(F)" /c)
rem for %%d in (Videos) do (
for %%d in (Desktop Documents Downloads) do (
 if exist %%d (
  dir |find "%%d" |find "SYMLINKD"
  if errorlevel 1 (
   if not exist H:\%%d mkdir H:\%%d
   robocopy %%d H:\%%d /e /copy:DATSO /r:1 /w:3
   if not errorlevel 9 (
    attrib -r %%d
    ren %%d %%d.bak
    attrib -r -h -s %%d.bak\* /s /d
    rd %%d.bak /s /q
   ) else (
    attrib -r %%d
    ren %%d %%d.bak
    attrib -r -h -s %%d.bak\* /s /d
   )
  )
 )
)

goto :ENDE
:ADMIN
:ENDE
echo logoff.bat %USERNAME% stop >>c:\tmp\log.txt
@echo off
rem called by gpo object in global/management (not builtin)
rem User/Policies/Windows/Scripts
rem ################################################################
rem #          Run custom Logon-Script                             #
rem ################################################################
echo logon.bat %USERNAME% start >>c:\tmp\log.txt
if %USERNAME%==global-admin goto :ADMIN
goto :ENDE
:ADMIN
rem user global-admin has symlink create permission in global gpo
rem Computer/Policies/Windows/Security/Local/User permissions: create symbolic links
C:
cd \Users
rem create symlinks in user directories pointing to H:\DIRNAME **only** if
rem  1) user global admin has access to user directory
rem  2) folders Desktop, Documents and/or Downloads do not exist
rem all other work is done by logon/logoff scripts of normal users
for /d %%u in (*) do (
 dir %%u
 if not errorlevel 1 (
  cd \Users\%%u
  for %%d in (Desktop Documents Downloads) do (
   if not exist %%d (
    mklink /d %%d H:\%%d
    if not errorlevel 1 (echo mklink ok %%u\%%d >>c:\tmp\log.txt) else (echo mklink failed %%u\%%d >>c:\tmp\log.txt)
   )
  )
  cd \Users
 )
)

:ENDE
echo logon.bat %USERNAME% stop >>c:\tmp\log.txt
@echo off
rem called by gpo object in global/management (not builtin)
rem User/Policies/Windows/Scripts
rem ################################################################
rem #          Run custom Logoff-Script                            #
rem ################################################################
echo logoff.bat %USERNAME% start >>c:\tmp\log.txt
if %USERNAME%==global-admin goto :ADMIN
goto :ENDE
:ADMIN
:ENDE
echo logoff.bat %USERNAME% stop >>c:\tmp\log.txt
@echo off
rem called by gpo object in schools/default-school (builtin)
rem Computer/Policies/Windows/Scripts (running as machine account)
rem ################################################################
rem #          Run custom Systemstart-Script                       #
rem ################################################################
rem overwrite existing logfile that is, clear log at startup
if not exist C:\tmp mkdir c:\tmp
echo sysstart %USERNAME% >C:\tmp\log.txt
:ENDE

Leave a Reply