Re: Default User Profile Locks Down Admin!
- From: ruudvdvelden@xxxxxxxxxxxxxxxxxxxx
- Date: 12 Aug 2005 12:51:07 -0700
Hello,
Don't know if this is interesting information to you:
Changes in behavior of the SysPrep and RIPREP tools after you install
Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?scid=kb;en-us;887816
Regards,
Ruud
Matt Callaghan wrote:
> We do not usually give Admin rights locally for our "users". If required, we
> do so...but usually we allow the domain controller to assign the appropriate
> rights, instead of having user accounts on every machine.
>
> This is an interesting point you bring up there. Perhaps it might work out
> more appropriately, if when building the default user profile, we give that
> "user base" Admin rights only for building the default user profile.
>
> We'll have to test if after a real "user" logs in, does the Domain
> Controller lock them down like it should!
>
> Thanks, we'll test this idea!
>
> "Jim Smith" wrote:
>
> > Are your "users" classified as local administrators on each machine they
> > use? If not many software programs will not behave.
> >
> >
> > "Matt Callaghan" <MattCallaghan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:DF51042F-1188-4E7E-A023-AB20615F88C1@xxxxxxxxxxxxxxxx
> > > This is also what I've tried. If we create the default user profile top
> > > down, we have a problem with a program that acts different as an admin vs.
> > > a
> > > regular user, so because of this, it's not recommended to build the
> > > default
> > > user profile top down.
> > >
> > > The strange part about it is, it's only this ONE TIME so far that we've
> > > experienced this. Every other LAN Admin, including myself, builds the
> > > default user profile from a restricted user account, and has never had
> > > problems.
> > >
> > > We can't figure out what was done differently in this Image creation that
> > > would actually cause such a crazy lockout.
> > >
> > > (i.e. it makes sense what you say. Since we built the default user
> > > profile
> > > off a restricted account, the registry settings carry over to the LAN
> > > Admin's
> > > profile, and thus restrict any LAN Admin who might login...)
> > > (HOWEVER: Why has this never happened before? We assume that the domain
> > > somehow, should usually override registry settings for the LAN Admin...and
> > > give that admin full access....but for some reason it did not happen on
> > > this
> > > image.)
> > >
> > > Just wondering WHY! haha.
> > >
> > > "Jim Smith" wrote:
> > >
> > >> If I did not misread what you said, you are doing this just backwards
> > >> from
> > >> what I do.
> > >>
> > >> I set everything up as I need it in the local administrator profile, then
> > >> log on as a domain admin and copy the administrator profile to the
> > >> default
> > >> user profile.
> > >>
> > >> You are creating administrator profiles from user accounts that have
> > >> lower
> > >> priviledges and therefore you are getting access restrictions.
> > >>
> > >> Try creating profiles from the top down instead for from the bottom up.
> > >>
> > >> "Matt Callaghan" <MattCallaghan@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> > >> message
> > >> news:59DE7E02-AC4D-422B-82C1-32EDA1416FFE@xxxxxxxxxxxxxxxx
> > >> > Hey everyone...I've got a strange problem/question.
> > >> >
> > >> > Here's the situation.
> > >> >
> > >> > We're on a Domain "X".
> > >> > Setting up a machine with Windows XP Pro SP2 for an Image. OK.
> > >> > Everything is about ready to go (Before we SysPrep, and create the
> > >> > image
> > >> > for
> > >> > it), so we begin creating the default user profile.
> > >> >
> > >> > NOTE: The Domain has user accounts seperated by "users" and
> > >> > "administrators".
> > >> >
> > >> > Creating the Default User Profile:
> > >> > Login as a "user" account. Setup everything we need (Drive Mappings,
> > >> > Shortcuts, etc etc.). Logout.
> > >> > Login as an "admin" account. Delete the current default user profile,
> > >> > and
> > >> > re-create using the previous login. Correct.
> > >> >
> > >> > Now, whenever an ADMIN logs in to this machine, and if that admin's
> > >> > profile
> > >> > is created from the default user profile, the admin is locked down!!!
> > >> > It's
> > >> > as if the default user profile is over-riding priviledge settings from
> > >> > the
> > >> > domain!
> > >> > (For an example, when an admin who's profile was created from the
> > >> > default
> > >> > profile attemps to use "Add/Remove Programs", that admin will receive
> > >> > the
> > >> > error that a USER would normally receive: "Add or Remove Programs has
> > >> > been
> > >> > restricted. Please check with your Administrator".
> > >> >
> > >> > Any ideas how to stop this "Priviledge Over-ride" from happening?...or
> > >> > what
> > >> > we could have done to CAUSE it to happen?
> > >> >
> > >> > (We've built several other images, and this has never happened before)
> > >> >
> > >> > We'll probobally just rebuild this one image that is giving us
> > >> > troubles,
> > >> > but
> > >> > we're interested to know WHY it happened.
> > >> >
> > >> > Thanks!
> > >>
> > >>
> > >>
> >
> >
> >
.
- References:
- Default User Profile Locks Down Admin!
- From: Matt Callaghan
- Re: Default User Profile Locks Down Admin!
- From: Jim Smith
- Re: Default User Profile Locks Down Admin!
- From: Matt Callaghan
- Re: Default User Profile Locks Down Admin!
- From: Jim Smith
- Re: Default User Profile Locks Down Admin!
- From: Matt Callaghan
- Default User Profile Locks Down Admin!
- Prev by Date: Re: Seperating LAN and systems??
- Next by Date: Re: How get the computers communicate in XP?
- Previous by thread: Re: Default User Profile Locks Down Admin!
- Next by thread: Can't Log On After Password Change
- Index(es):
Relevant Pages
|
Loading
