+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
Windows 7 Thread, Mandatory profile issue in Technical; v.odd. I'd leave the profile off that server altogether then. Does it need to be on there?...
  1. #16

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    54
    v.odd. I'd leave the profile off that server altogether then. Does it need to be on there?

  2. #17
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,331
    Thank Post
    327
    Thanked 233 Times in 192 Posts
    Rep Power
    93
    Well after some testing it seems it hasnt worked in the new location so domain\adminstrators isn't the cause of my problem, i've just tried doing a copyto on a default profile again and starting fresh, added domain users to the permissions within the registry hive, logged on fine, logged off and tried to log on again and it fails

    This laptops going out the window in a minute

  3. #18
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,331
    Thank Post
    327
    Thanked 233 Times in 192 Posts
    Rep Power
    93
    Applied the profile to a user, but moved the user out of the OU it was in and into one that doesn't load group policys and it works, so it seems there is a policy that is making it get stuck!! GETTING CLOSER!

  4. #19

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    54
    Use Group Policy Modelling & Results in the GP Management module to see which policy(s) is causing the problem.

  5. #20
    azrael78's Avatar
    Join Date
    Sep 2007
    Location
    Devon
    Posts
    383
    Thank Post
    47
    Thanked 37 Times in 33 Posts
    Rep Power
    20
    In a domain there is no DOMAIN\Administrators group.
    You only have BUILTIN\Administrators.

    DOMAIN\Domain Admins should suffice - as by default Domain Admins are Administrators on all member servers, DCs and workstations in a domain.
    If you really want to use the 'administrators' group - then it would have to be a local server or workstation group.

    E.g.

    FS1\Administrators <-- Would apply to Local Admins on FS1, but wouldn't necessarily cover Domain Users.

    HTH,

    Az

  6. #21
    mrbios's Avatar
    Join Date
    Jun 2007
    Location
    Stroud, Gloucestershire
    Posts
    2,331
    Thank Post
    327
    Thanked 233 Times in 192 Posts
    Rep Power
    93
    Cheers azrael, i think i've sorted it now, i pretty much replicated everything the students were using (which was working fine) set that up and then just adapted thatto the teachers settings, all seems to be working, going to get a few teachers to test it soon though

  7. #22
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33
    When you create the original mandatory profile, how did you make the initial copy? Unless you use the Copy Profile utility built into Windows and set permissions in the profile (not the file/folder permissions), the profile will never work properley. See 'Creating Mandatory Profiles' here: Mandatory Profiles - Wiki

  8. #23

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    54
    Quote Originally Posted by ajbritton View Post
    Unless you use the Copy Profile utility built into Windows and set permissions in the profile (not the file/folder permissions), the profile will never work properley.

    I can't say that's true Andy - we've a few perfectly working Mandatory Profiles which were never copied using that utility. It may well set the correct permissions for you, which may or may not save you time, but there's no reason you can't do that yourself. A profile is just a bunch of files & folders with appropriate permissions - they don't need divine power granted them by the OS to work correctly. IMHO it makes it easier to troubleshoot profiles if you can get away from this way of thinking.

  9. #24
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    33
    Quote Originally Posted by timzim View Post
    A profile is just a bunch of files & folders with appropriate permissions - they don't need divine power granted them by the OS to work correctly. IMHO it makes it easier to troubleshoot profiles if you can get away from this way of thinking.
    Not true I'm afraid. One of the files in the profile (NTUSER.DAT) contains the registry for the HKEY_CURRENT_USER hive. This has permissions on the registry structure INSIDE the file. This is unconnected with the ACL on the file itself. Using CopyTo will modify these permissions. If you don't do this, the only option is to use RegEdit to manually connect to registry settings in NTUSER.DAT and modify the permissions. However, since there is no documentation as to what permissions should be set across all the keys under HKEY_CURRENT_USER, it's best to let the OS do it for you in the way that is known to work and as Microsoft intended. IMHO

    I've lost track of the number of times I've had to explain this to people. That's one of the reason I wrote up the WIKI article in the first place. I've certainly seen failures to apply group policy due to this issue on several occasions and if you think about it, it's logical. When Windows creates a new profile, it grants the user who creates it permissions to the files and in the registry. If you then copy the profile and try to let someone else use it, that user won't have the necessary permissions to update it. Looking at the registry permissions on HKEY_CURRENT_USER\Software\Policies on my PC shows me that the only users with access are Administrators, System and myself. Since the group policy extensions run under the security context of whoever logs on, that user must have the necessary rights to write to the registry or policy settings cannot be applied.

    Another option might be to enable verbose USERENV logging (http://support.microsoft.com/kb/221833). This gives a wealth of information on what goes on during logon but can be rather tedious to pick through.

    It might also be worth disabling caching on the share (http://support.microsoft.com/kb/287566)
    Last edited by ajbritton; 4th May 2010 at 01:21 PM.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 8
    Last Post: 4th February 2011, 03:29 PM
  2. Mandatory Profile - Offline
    By NickDay85 in forum How do you do....it?
    Replies: 0
    Last Post: 4th March 2009, 12:49 PM
  3. Can you have a local mandatory profile?
    By dtakias in forum Windows
    Replies: 16
    Last Post: 3rd March 2009, 11:35 AM
  4. Mandatory profile issue
    By Monkey-Boy in forum Windows
    Replies: 4
    Last Post: 20th September 2008, 12:23 AM
  5. Mandatory profile
    By Neville in forum Windows
    Replies: 3
    Last Post: 16th September 2008, 11:21 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •