Re: Help with Owner of a romaing profile folder


No I did not try the Local Administrators Group. I'm trying to eliminate the
Administrator rights/permissions.

I will try it next Tuesday.

I will follow your other instructions!

Let you know how I make out.

Thx again
--
John D. Leonard -- Sage
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OsdD49T9HHA.5712@xxxxxxxxxxxxxxxxxxxxxxx
Northcoastseafoods <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi

I'm back with some more interesting results. At this time, I'm
thinking the user is up to no good!

This is unlikely to have anything to do with a misbehaving user.

I tested myself - I took them out of the Domain Admin group and did a
log on. Yup! the profiles are bad/corrupted - shows the Icons and
background - no My Documents and the Icons are not lined up properly?

When I add them back to the Domain Admin group - ALL IS WELL?

What about adding them to the *local* Administrators group, as I suggested
in my last post?

I do not know what they have done? Is there anyway, short of deleting
them and re-establishing the profile? Remember they are Roaming
Profiles.

Did you try what I suggested?

1) Make 100% sure the roaming profile folder for that user has the
following settings:

Owner: Administrators (and propagate the settings to all subfolders)
NTFS: Administrators + System + %username% = full control (and propagate
the settings to all subfolders)

2) Log in to the workstation as an admin, remove the user's cached profile
(either use delprof from the resource kit or go to control panel | system
| advanced ...etc)
3) Log into the workstation as the user and see

If the profile doesn't load, check the application event log for errors.

It may be easier to recreate the user's profile than spend more time on
this. Just copy out data they need (IE favorites, etc). Rename the server
copy of the user's profile, log into a workstation as the user (where it
isn't cached anymore), let it be recreated.


thx for your help.

When
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23TSeiSI9HHA.4784@xxxxxxxxxxxxxxxxxxxxxxx
North Coast Sea Foods <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Lanwench

Sorry for not getting back to you.

I have gone further into my problem and found out that the users
(several of them!)misdirected me re their problem.

That happens :)


Let me try to explain my problem now!

I have removed these users from the Domain Admin group, where they
have been for some time now!

Good - they should not have any admin rights anywhere at all.


Now when they log on, they are getting a different looking DeskTop?
As if it is being set up with another users profile (EACH USER I S
DIFFERENT)??

Event logs?


When I add them back into the Domain Admin Group - all is ok. It has
nothing to do with the shared work folder in the logon bat!

Remember, domain admins are by default also LOCAL admins - so
something may be funky in the profile and expect local admin rights.
As a test, add a domain user to the local Administrators group and
test.

I can not figure out what is wrong with their profile? I have set
up a test PC and everything is working perfectly -

For one of these same users? If so, I'd remove the cached profiles
from their actual workstations & let them re-download on login.

when in Domain
Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
PROFILES AND ALL?
I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE --
BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON ONE
THEY HAVE MOVED TOO.

ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.

No prob, but pls lose the caps lock - it means you're "shouting"


I have
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:Obe51986HHA.3624@xxxxxxxxxxxxxxxxxxxxxxx
North Coast Sea Foods <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Lanwench

I appreciate your response.

I have a logon BAT that maps a shared folder - that is the folder
I am trying to control.

What *is* that folder?

This folder was setup with Domain Admin ownership, seems when I
take the users out of the Admin group, they loose their roaming
profile?

If this is a mapped drive pointing at a share you use for roaming
profile storage, stop mapping that drive ASAP.
Users should *never* be in any domain admin groups. You'll need to
check the ownership on their roaming profile folder (the parent)
and correct it to Administrators - and then reset the NTFS
permissions as I already mentiond (Administrators & System &
%username% = full control on each folder)

I do not know how the maped drive/folder (with Domain Admin Owner)
is changing things, but it is?? I was asking if I should set up
the users in their own group and give them Full Permissions.
Would this eliminate the roaming profile problem?

Unfortunately, I still don't understand exactly what the roaming
profile problem *is*

Again, I do not see how the roaming profile is even entering into
the problem>

Nor do I - but you brought it up. I think you'll need to be much
more specific about where things are - paths, share names, login
scripts, and both share & NTFS permissions. Also exact symptoms &
error messages.

thx



"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:eLjY1go5HHA.5184@xxxxxxxxxxxxxxxxxxxxxxx
John D. Leonard -- Sage <sage.grp@xxxxxxxxxxx> wrote:
Sorry meant to say Profiles not Home


I'm a bit confused. You don't usually map a drive to your
profiles share, and users shouldn't be "working" in it at all.
You need to use folder redirection, for My Documents at the very
least - you
can use the home directories for that. You can also redirect
Application Data and Desktop (I'd avoid redirecting the start
menu, for performance reasons and so forth). The profile folders
should be in a hidden share, and Administrators + the System
account + %username% would need full control. Users shouldn't be
accessing the profile folders directly at all. I'm posting my
boilerplate
on roaming profiles below. Hope this
helps. 1. Set up a share on the server. For example -
d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share
is not set to allow offline files/caching!
2. Make sure the share permissions on profiles$ indicate
everyone=full control. Set the NTFS security to administrators,
system, and users=full control.
3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field
4. Have each user log into the domain once from their usual
workstation (where their existing profile lives) and log out. The
profile is now roaming.
5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles -
there's an option to add administrators group to the roaming
profiles permissions. Notes:

* Make sure users understand that they should never log into
multiple computers at the same time when they have roaming
profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so
they can't change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the
profile. * Keep your profiles TINY. Redirect My Documents at the
very least;
usually best done to the user's home directory on the server -
either via group policy (folder redirection) or manually (far
less advisable). If you aren't going to also redirect the
desktop using policies, tell users that they are not to store
any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile
corruption. * Note that user profiles are not compatible between
different OS
versions,
even between W2k/XP. Keep all your computers. Keep your
workstations as identical as possible - meaning, OS version is
the same, SP level is the same, app load is (as much as
possible) the same. * Do not let people store any data locally -
all data belongs on the server.

* The User Profile Hive Cleanup Utility should be running on all
your computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en



John,
Its hard to be sure exactly what you mean.
The Profiles folder (say, \profiles$) should allow users full
control. This allows the profile creation process, running in
the user context, to create a profile and then set the correct
permissions on it, which are exclusive control of the profile.
This way, no-one else can get into another persons profile.
An administrator (only) can take ownership of an individual
profile, but this breaks the profile.
So if you have those permissions you don't need to do anything,
and you might want to explain more what you are trying to
achieve, Hope that helps,
Anthony,
http://www.airdesk.com



"John D. Leonard -- Sage" <sage.grp@xxxxxxxxxxx> wrote in
message news:OavU8fl5HHA.2380@xxxxxxxxxxxxxxxxxxxxxxx
I have serveral users, with roaming profiles, that use the
same folder as Domain Admininstartors.

Now I want to take the administrator privledge away from them
and still let
them use the same folder.

How do I set all users as "Owners" of the folder?

Would I set up another Group (non-administrator group) and add
the users to
that?

thx


--
John D. Leonard -- Sage





.

Relevant Pages

  • Re: Terminal Services Profiles problems
    ... hidden administrative share that only administrators can access. ... > a folder on the D: ... > profile, I add the path to this location in the Terminal Services Profile ... I've messed up the security on these folders. ...
    (microsoft.public.windows.server.security)
  • Re: Help with Owner of a romaing profile folder
    ... I have a logon BAT that maps a shared folder - that is the folder I am ... users out of the Admin group, they loose their roaming profile? ... If you want the administrators group to automatically have permissions ...
    (microsoft.public.windows.server.general)
  • Re: Help with Owner of a romaing profile folder
    ... When I add them back to the Domain Admin group - ALL IS WELL? ... As if it is being set up with another users profile (EACH USER I S ... I have a logon BAT that maps a shared folder - that is the folder I ... the users out of the Admin group, they loose their roaming profile? ...
    (microsoft.public.windows.server.general)
  • Re: Help with Owner of a romaing profile folder
    ... As if it is being set up with another users profile (EACH USER I S ... When I add them back into the Domain Admin Group - all is ok. ... I have a logon BAT that maps a shared folder - that is the folder I ... the users out of the Admin group, they loose their roaming profile? ...
    (microsoft.public.windows.server.general)
  • Re: Help with Owner of a romaing profile folder
    ... When I add them back to the Domain Admin group - ALL IS WELL? ... Remember they are Roaming ... Make 100% sure the roaming profile folder for that user has the following ...
    (microsoft.public.windows.server.general)
Loading