Re: Repost: GP is ignored, users settings vanish
From: Fred_B (FredB_at_discussions.microsoft.com)
Date: 02/17/05
- Next message: D.P. Roberts: "Can a GPO be enabled/disabled from the command line?"
- Previous message: Colin Torretta [MSFT]: "Re: Applying a GPO to a Group, not user.."
- In reply to: Roger Abell: "Re: Repost: GP is ignored, users settings vanish"
- Next in thread: Roger Abell: "Re: Repost: GP is ignored, users settings vanish"
- Reply: Roger Abell: "Re: Repost: GP is ignored, users settings vanish"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 17 Feb 2005 14:55:04 -0800
Thanks for the reply.
Sorry, I'm not sure what you mean master?
If you mean the directory with all of the individual user profiles in it,
that's got permissions set domain users > full control. The root of the drive
is the same.
Fred
"Roger Abell" wrote:
> Check the NTFS permissions on the master of their roaming
> profile. It sounds as if they are only getting access to their
> profile due to a grant to Administrators and/or Domain Admins.
> When their membership is removed, the profile cannot be read,
> and the system creates a new one.
>
> --
> Roger Abell
> Microsoft MVP (Windows Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Fred_B" <FredB@discussions.microsoft.com> wrote in message
> news:9D38C496-225D-41FF-83A6-92A7BE3C0D70@microsoft.com...
> > Hi,
> > Two problems here I think...
> >
> > To cut to the chase I've created a new OU for certain users who already
> > exist in the default Users group. The users are both domain
> > admins and domain users. They do not need to be domain admins.
> > I have created a new OU for them, which has a group policy applied to it
> to
> > prevent them switching off screensaver passwords etc nothing overly
> > restrictive.
> > All users use roaming profiles.
> >
> > In a test, I've moved test users to the new OU, and at the same time
> removed
> > them from the domain admin group.
> >
> > When the test users logon, Windows treats them as if they've never logged
> on
> > before. Personal settings such as mapped drives, shortcuts etc are gone,
> the
> > connect to
> > the internet icon pops onto the desktop along with the welcome to windows
> > dialog and all of the default shortcuts on the start menu.
> > Also the group policy doesn't apply...
> > If I leave them in the new OU but make the user a domain admin again, the
> > personalized settings come back and the group policy applies OK.
> > Their settings come back if I move them back to the original users
> > container, obviously GP doesn't apply here.
> >
> > In the group policy, authenticated users and domain users are both set to
> > read and apply group policy.
> > In my previous post, I was directed to what permissions were on the
> roaming
> > profiles directory. Domain users have full control.
> >
> > This making any sense to anyone?
> >
> > Fred (Confused)
> >
> >
>
>
>
- Next message: D.P. Roberts: "Can a GPO be enabled/disabled from the command line?"
- Previous message: Colin Torretta [MSFT]: "Re: Applying a GPO to a Group, not user.."
- In reply to: Roger Abell: "Re: Repost: GP is ignored, users settings vanish"
- Next in thread: Roger Abell: "Re: Repost: GP is ignored, users settings vanish"
- Reply: Roger Abell: "Re: Repost: GP is ignored, users settings vanish"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
