Re: Repost: GP is ignored, users settings vanish

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/17/05 

Date: Thu, 17 Feb 2005 07:55:36 -0700

Check the NTFS permissions on the master of their roaming
profile. It sounds as if they are only getting access to their
profile due to a grant to Administrators and/or Domain Admins.
When their membership is removed, the profile cannot be read,
and the system creates a new one. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Fred_B" <FredB@discussions.microsoft.com> wrote in message
news:9D38C496-225D-41FF-83A6-92A7BE3C0D70@microsoft.com...
> Hi,
> Two problems here I think...
>
> To cut to the chase I've created a new OU for certain users who already
> exist in the default Users group. The users are both domain
> admins and domain users. They do not need to be domain admins.
> I have created a new OU for them, which has a group policy applied to it
to
> prevent them switching off screensaver passwords etc nothing overly
> restrictive.
> All users use roaming profiles.
>
> In a test, I've moved test users to the new OU, and at the same time
removed
> them from the domain admin group.
>
> When the test users logon, Windows treats them as if they've never logged
on
> before. Personal settings such as mapped drives, shortcuts etc are gone,
the
> connect to
> the internet icon pops onto the desktop along with the welcome to windows
> dialog and all of the default shortcuts on the start menu.
> Also the group policy doesn't apply...
> If I leave them in the new OU but make the user a domain admin again, the
> personalized settings come back and the group policy applies OK.
> Their settings come back if I move them back to the original users
> container, obviously GP doesn't apply here.
>
> In the group policy, authenticated users and domain users are both set to
> read and apply group policy.
> In my previous post, I was directed to what permissions were on the
roaming
> profiles directory. Domain users have full control.
>
> This making any sense to anyone?
>
> Fred (Confused)
>
>

Relevant Pages

  • Re: restrict roaming profile by computer?
    ... The Roaming User Profile attribute for a user (the location of the roaming ... if set) is stored in the user account object within Active ... application of Group Policy, this parameter cannot be set through Group ...
    (microsoft.public.windows.group_policy)
  • Re: Repost: GP is ignored, users settings vanish
    ... the roaming profile is should have Full control on the ... that is the root of each account's profile should allow ... >> profile due to a grant to Administrators and/or Domain Admins. ... >>> personalized settings come back and the group policy applies OK. ...
    (microsoft.public.windows.group_policy)
  • Re: The Perfect Roaming Profile ?
    ... But it's not a network problem as once logged on, ... It says about warning users "you need to move some items from your profile ... That's assuming, of course, that you're not trying to load a roaming ... I think this can be done in Group Policy, ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Would like to lockdown public computer
    ... If you use the guest account be ... Learn to use Group Policy. ... > protect the cmos settings as it is easy to reboot a computer from a floppy ... > the mandatory profile on the local computer and then have the users ...
    (microsoft.public.win2000.security)
  • Re: How do you all manage employee workstations? Looking for sugge
    ... When enabled roaming profiles, users have same profiles ... been authenticated within the directory service, the user profile, ... You can use group policy to assign software to all workstations. ... How to use Group Policy to remotely install software in Windows Server 2003 ...
    (microsoft.public.windows.server.sbs)