Re: Help with Owner of a romaing profile folder

John D. Leonard -- Sage <sage.grp@xxxxxxxxxxx> wrote:
No I did not try the Local Administrators Group. I'm trying to
eliminate the Administrator rights/permissions.

Well, but that's one way to eliminate it (really, "isolate" it). The
permissions they "need" are unlikely to be domain admin rights.....I suspect
there's something funky that expects *local* admin rights.

I will try it next Tuesday.

I will follow your other instructions!

Let you know how I make out.

Good; please do. And best of luck.



Thx again
Northcoastseafoods <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi

I'm back with some more interesting results. At this time, I'm
thinking the user is up to no good!

This is unlikely to have anything to do with a misbehaving user.

I tested myself - I took them out of the Domain Admin group and did
a log on. Yup! the profiles are bad/corrupted - shows the Icons and
background - no My Documents and the Icons are not lined up
properly? When I add them back to the Domain Admin group - ALL IS WELL?

What about adding them to the *local* Administrators group, as I
suggested in my last post?

I do not know what they have done? Is there anyway, short of
deleting them and re-establishing the profile? Remember they are
Roaming Profiles.

Did you try what I suggested?

1) Make 100% sure the roaming profile folder for that user has the
following settings:

Owner: Administrators (and propagate the settings to all subfolders)
NTFS: Administrators + System + %username% = full control (and
propagate the settings to all subfolders)

2) Log in to the workstation as an admin, remove the user's cached
profile (either use delprof from the resource kit or go to control
panel | system
advanced ...etc)
3) Log into the workstation as the user and see

If the profile doesn't load, check the application event log for
errors. It may be easier to recreate the user's profile than spend more
time
on this. Just copy out data they need (IE favorites, etc). Rename
the server copy of the user's profile, log into a workstation as the
user (where it isn't cached anymore), let it be recreated.


thx for your help.

When
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23TSeiSI9HHA.4784@xxxxxxxxxxxxxxxxxxxxxxx
North Coast Sea Foods <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Lanwench

Sorry for not getting back to you.

I have gone further into my problem and found out that the users
(several of them!)misdirected me re their problem.

That happens :)


Let me try to explain my problem now!

I have removed these users from the Domain Admin group, where they
have been for some time now!

Good - they should not have any admin rights anywhere at all.


Now when they log on, they are getting a different looking
DeskTop? As if it is being set up with another users profile
(EACH USER I S DIFFERENT)??

Event logs?


When I add them back into the Domain Admin Group - all is ok. It
has nothing to do with the shared work folder in the logon bat!

Remember, domain admins are by default also LOCAL admins - so
something may be funky in the profile and expect local admin
rights. As a test, add a domain user to the local Administrators
group and test.

I can not figure out what is wrong with their profile? I have set
up a test PC and everything is working perfectly -

For one of these same users? If so, I'd remove the cached profiles
from their actual workstations & let them re-download on login.

when in Domain
Admin Group and when taken out of it - ALL IS WORKING CORRECTLY --
PROFILES AND ALL?
I DO NOT KNOW WHAT IS HAPPENING TO DESTROY THEIR ROMAING PROFILE
-- BY THE WAY THIS IS ON THE SAME COMPUTER THEY USE DAILY, NOT ON
ONE THEY HAVE MOVED TOO.

ANY HELP APPRECIATED - SORRY FOR THE CONFUSION.

No prob, but pls lose the caps lock - it means you're "shouting"


I have
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:Obe51986HHA.3624@xxxxxxxxxxxxxxxxxxxxxxx
North Coast Sea Foods <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Lanwench

I appreciate your response.

I have a logon BAT that maps a shared folder - that is the
folder I am trying to control.

What *is* that folder?

This folder was setup with Domain Admin ownership, seems when I
take the users out of the Admin group, they loose their roaming
profile?

If this is a mapped drive pointing at a share you use for roaming
profile storage, stop mapping that drive ASAP.
Users should *never* be in any domain admin groups. You'll need
to check the ownership on their roaming profile folder (the
parent) and correct it to Administrators - and then reset the
NTFS permissions as I already mentiond (Administrators & System &
%username% = full control on each folder)

I do not know how the maped drive/folder (with Domain Admin
Owner) is changing things, but it is?? I was asking if I should
set up the users in their own group and give them Full
Permissions. Would this eliminate the roaming profile problem?

Unfortunately, I still don't understand exactly what the roaming
profile problem *is*

Again, I do not see how the roaming profile is even entering
into the problem>

Nor do I - but you brought it up. I think you'll need to be much
more specific about where things are - paths, share names, login
scripts, and both share & NTFS permissions. Also exact symptoms &
error messages.

thx



"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:eLjY1go5HHA.5184@xxxxxxxxxxxxxxxxxxxxxxx
John D. Leonard -- Sage <sage.grp@xxxxxxxxxxx> wrote:
Sorry meant to say Profiles not Home


I'm a bit confused. You don't usually map a drive to your
profiles share, and users shouldn't be "working" in it at all.
You need to use folder redirection, for My Documents at the
very least - you
can use the home directories for that. You can also redirect
Application Data and Desktop (I'd avoid redirecting the start
menu, for performance reasons and so forth). The profile
folders should be in a hidden share, and Administrators + the
System account + %username% would need full control. Users
shouldn't be accessing the profile folders directly at all.
I'm posting my boilerplate
on roaming profiles below. Hope this
helps. 1. Set up a share on the server. For example -
d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share
is not set to allow offline files/caching!
2. Make sure the share permissions on profiles$ indicate
everyone=full control. Set the NTFS security to administrators,
system, and users=full control.
3. In the users' ADUC properties, specify
\\server\profiles$\%username% in the profiles field
4. Have each user log into the domain once from their usual
workstation (where their existing profile lives) and log out.
The profile is now roaming.
5. If you want the administrators group to automatically have
permissions to the profiles folders, you'll need to make the
appropriate change in group policy. Look in computer
configuration/administrative templates/system/user profiles -
there's an option to add administrators group to the roaming
profiles permissions. Notes:

* Make sure users understand that they should never log into
multiple computers at the same time when they have roaming
profiles (unless you make
the profiles mandatory by renaming ntuser.dat to ntuser.man so
they can't change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the
profile. * Keep your profiles TINY. Redirect My Documents at
the very least;
usually best done to the user's home directory on the server -
either via group policy (folder redirection) or manually (far
less advisable). If you aren't going to also redirect the
desktop using policies, tell users that they are not to store
any files on the desktop or you will beat them with a
stick. Big profile=slow login/logout, and possible profile
corruption. * Note that user profiles are not compatible
between different OS
versions,
even between W2k/XP. Keep all your computers. Keep your
workstations as identical as possible - meaning, OS version is
the same, SP level is the same, app load is (as much as
possible) the same. * Do not let people store any data locally
- all data belongs on the server.

* The User Profile Hive Cleanup Utility should be running on
all your computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en



John,
Its hard to be sure exactly what you mean.
The Profiles folder (say, \profiles$) should allow users full
control. This allows the profile creation process, running in
the user context, to create a profile and then set the
correct permissions on it, which are exclusive control of
the profile. This way, no-one else can get into another
persons profile. An administrator (only) can take ownership of an
individual
profile, but this breaks the profile.
So if you have those permissions you don't need to do
anything, and you might want to explain more what you are
trying to achieve, Hope that helps,
Anthony,
http://www.airdesk.com



"John D. Leonard -- Sage" <sage.grp@xxxxxxxxxxx> wrote in
message news:OavU8fl5HHA.2380@xxxxxxxxxxxxxxxxxxxxxxx
I have serveral users, with roaming profiles, that use the
same folder as Domain Admininstartors.

Now I want to take the administrator privledge away from
them and still let
them use the same folder.

How do I set all users as "Owners" of the folder?

Would I set up another Group (non-administrator group) and
add the users to
that?

thx


--
John D. Leonard -- Sage



.

Relevant Pages

  • Re: Why Are Domain users in the admin Group.
    ... The local "Administrators" group on the client ... Local Administrators: Full Control ... The Default User folder inherits these permissions and also has the Hidden ... See if resetting these helps restore profile access to limited users. ...
    (microsoft.public.win2000.active_directory)
  • Re: Terminal Services Profiles problems
    ... hidden administrative share that only administrators can access. ... > a folder on the D: ... > profile, I add the path to this location in the Terminal Services Profile ... I've messed up the security on these folders. ...
    (microsoft.public.windows.server.security)
  • Re: roaming profile on XP workstation
    ... You may need to take ownership first by selecting properties/security/advanced ... properties/security and give administrators full control. ... so i believe it must be a corrupt profile effecting the others. ... > I created a new folder and gave admin and the user permission and set this ...
    (microsoft.public.win2000.networking)
  • Re: Help with Owner of a romaing profile folder
    ... No I did not try the Local Administrators Group. ... When I add them back to the Domain Admin group - ALL IS WELL? ... Make 100% sure the roaming profile folder for that user has the ...
    (microsoft.public.windows.server.general)
  • Re: Help with Owner of a romaing profile folder
    ... I have a logon BAT that maps a shared folder - that is the folder I am ... users out of the Admin group, they loose their roaming profile? ... If you want the administrators group to automatically have permissions ...
    (microsoft.public.windows.server.general)