Re: Roaming Profile Not Staying Mandatory
From: Tom (Tom_at_discussions.microsoft.com)
Date: 03/01/05
- Next message: Tom: "Re: Roaming Profile Not Staying Mandatory"
- Previous message: Lanwench [MVP - Exchange]: "Re: Roaming Profile Not Staying Mandatory"
- In reply to: Lanwench [MVP - Exchange]: "Re: Roaming Profile Not Staying Mandatory"
- Next in thread: Tom: "Re: Roaming Profile Not Staying Mandatory"
- Reply: Tom: "Re: Roaming Profile Not Staying Mandatory"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 1 Mar 2005 12:59:11 -0800
Well, this account is a school and they want to be able to track the
students. They use symantec web security which also requires security.
Also, they want them to use individual folders for data storage on the
network. Is there a better way of doing it? I've setup many small schools
this way and it works great for controlling printers, desktop icons and
programs. It's easy to change as well. Thanks, Tom
"Lanwench [MVP - Exchange]" wrote:
> Tom wrote:
> > Your presumption is correct. Except I have all users use the same
> > profile. The parent profile share is hidden with the name mprofile$.
> > Ex. \\student\mprofile$\user. I use this same setup almost all the
> > time as well, which is why I'm confused as to what is going on. The
> > roaming profile is working correctly besides the mandatory part. If
> > it doesn't mandatory then the profile gets to big to be mandatory. I
> > may have to setup a group policy to work around it. Thanks for the
> > help. Tom
>
> All right - why do you have multiple user accounts, then? What benefit does
> this provide, given that they won't have any custom settings whatsoever -
> why can't everyone use the same account (and not be permitted to change the
> password)? Is it only for auditing logins/logouts?
>
> That said: these users (ideally, a group rather than individuals) have
> exactly what NTFS permissions on this
> common profile subfolder?
>
> If you take ownership as Administrators (*not* Administrator), push those
> settings down to subitems, and then change the NTFS security to:
>
> a) remove inheritence from the parent folder, if it isn't correct (choose
> 'copy', not remove) and
> b) grant administrators & system & users=full control, and push *those* down
> to subfolders as well
>
> ....any change?
>
> I think there is a GP that doesn't permit login if the roaming profile can't
> be loaded properly, but I'm damned if I know where it is.
>
> Another nice thing (probably won't help with your issue):
> http://www.microsoft.com/downloads/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en
>
> >
> > "Lanwench [MVP - Exchange]" wrote:
> >
> >> Tom wrote:
> >>> The server is Windows 2003 with Windows 2000 and XP Pro Clients.
> >>> The permissions at the share point location are not restricted.
> >>> They are set default with everyone able to do anything. Also the
> >>> share point location is on a secondary windows 2000 server, but
> >>> I've tested having the share the primary 2003 server with the same
> >>> results. The users are not domain admins either. Once I create
> >>> the profile on a client and then save it to the location on the
> >>> server
> >>
> >> ....by this I presume you mean:
> >>
> >> 1. Each user's ADUC settings specify \\server\parentshare\%username%
> >> in the profile field [a]
> >> 2. You log into the domain as this user on a workstation, modify the
> >> profile, and then log out so that the profile is automatically
> >> uploaded to that user's profile folder on the server
> >> 3. Then on the server, while this user is *not* logged in anywhere,
> >> you rename the ntuser.dat to ntuser.man [b]
> >> 4. And you do this for all your user profiles.
> >>
> >> All this should work fine. I do it all the time.
> >>
> >> [a] And on the parent profile directory, the share permissions are
> >> set to everyone=full control, and the NTFS permissions are set to
> >> grant everyone (not necessarily that group - could use authenticated
> >> users) full control as well. This will be adjusted when the profile
> >> is uploaded for the first time. I recommend making the parent
> >> profile share a hidden one - as in,
> >> PROFILES$ - so it can't be browsed. So then you can use
> >> \\server\profiles$\%username%
> >>
> >> [b] Of course, you need to have permissions to open the profile
> >> folder - if you don't have them, you'll have to take ownership as
> >> Administrators (the group) and reset the NTFS permissions. Or you
> >> can use the option in GP (?) to automatically grant administrators
> >> access to user profiles.
> >>
> >>
> >>
> >>> I rename the
> >>> ntuser.dat to ntuser.man, but once any client machine logs on and
> >>> logs off using the profile a new ntuser.dat is created and the
> >>> changes that were made to the profile are saved to the share. So
> >>> there is nothing manditory about it. I've never had this happen.
> >>> I'm getting frustrated. Thanks for the response. Tom
> >>>
> >>> "NIC Student" wrote:
> >>>
> >>>> Hi Tom,
> >>>>
> >>>> What network OS? What client OS?
> >>>>
> >>>> What permissions are given to the share point on the server?
> >>>>
> >>>> Do you mean the .dat is written on the server?
> >>>>
> >>>> --
> >>>> Scott Baldridge
> >>>> Windows Server MVP, MCSE
> >>>>
> >>>> "Tom"
> >>>>> I have a network where the users login using a mandatory profile.
> >>>>> I have changed the ntuser.dat to ntuser.man, but
> >>>>> when the users login and log out it creates a new ntuser.dat and
> >>>>> ignores the
> >>>>> .man change. I have used mandatory roaming profiles for years and
> >>>>> this is the first problem that I've had. Any suggestions you have
> >>>>> will be greatly appreciated.
> >>>>> Thanks, Tom
>
>
>
>
- Next message: Tom: "Re: Roaming Profile Not Staying Mandatory"
- Previous message: Lanwench [MVP - Exchange]: "Re: Roaming Profile Not Staying Mandatory"
- In reply to: Lanwench [MVP - Exchange]: "Re: Roaming Profile Not Staying Mandatory"
- Next in thread: Tom: "Re: Roaming Profile Not Staying Mandatory"
- Reply: Tom: "Re: Roaming Profile Not Staying Mandatory"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
