changing from roaming profiles to gpo

[chrbb]

The permissions in a profile cannot simply be changed my modifying the file system ACLs as per your example. When the profile is copied from the source PC to the network, it MUST be copied using the 'Copy To...' function and the permissions modified at that point. This modifies not only the ACLs on the files, but also the ACLs within the registry (within the NTUSER.DAT file). If this is not done, then GP settings cannot be applied because the user trying to load the profile does not have the necessary permissions to write to the registry.

So looks like it wasn't set up right then, at the time the company did say something about they'd discovered gpo didn't work with profiles, but I got the distinct impression they considered me too new and female to have any say on the matter. Any suggestions as to what I could do?

[maniac]

You can open up the user.man file in regedit and set the access permissions manually. This is my prefered method for setting up a mandatory profile, although other methods are perfectly good. Just I was taught to do it this way. Remember to unload it after you're done making changes, else it locks the profile so no one can use it!

Mike.

[ajbritton]

As Maniac says, you can edit the permissions in the user.man file using regedit, but how do you know what they are supposed to be?

My understanding is that when you use the 'Copy To...' function to modify the permissions (eg grant permission to Everyone), it does more than just a blanket grant of Full Control to the whole registry hive.

Permissions on policy related keys are not the same as permissions elsewhere in the user hive.

If I were chrbb, I would want to re-create the profile from scratch.

[chrbb]

Do you mean recreate the default profile for the individual computer from scratch?

[maniac]

OK little bit confused here, don't think I've fully grasped the concept of how your systems are setup.

Can you explain what you had, then what you currently get, then what you're trying to achieve. That way I might have a better idea of what's going on. Sorry!

Mike.

[chrbb]

I'm totally confused and it's my network!
Right current setup -roaming profiles for staff, mandatory for pupils. A custom default user profile was created on one computer with security set for everyone to read change etc. The other computers were then ghosted from this image.
Once users had logged on their copy of this profile was stored on the server.
We now have a new server and due to roaming profiles being a pain with teacher's laptops being used offline I want to just use gpo and dispense with the roaming and mandatory profiles. But the default profile on each computer seems to be overiding the gpo settings, I can only get the computer to accept the gp settings if I set security on the computers default profile to deny for everyone

[ajbritton]

Although I have 'dissed' the idea of using regedit to set the registry permissions in a profile, it might be worth using it to check the registry permissions on network default user profile

1 - On an XP machine, run REGEDIT
2 - Select the HKEY_USERS hive root
3 - Open the File menu and select Load Hive...
4 - Browse to \\(yourservername)\netlogon\Default User
5 - Select NTUSER.DAT and click Open
6 - Enter a name (eg NETDEFUSER) and OK
7 - Open up the HKEY_USERS key
8 - Select the key with the name you entered (eg NETDEFUSER)
9 - Open the Edit menu and select Permissions...
10 - Check and record the configured permissions for each group/user
11 - Click Cancel to close the Permissions dialog box
IMPORTANT - Make sure you do the following steps
12 - Ensure the key with the name you entered is still selected
13 - Open the File menu and select Unload Hive... then click Yes
14 - Close regedit

Report back with the permissions that you find.

[chrbb]

Thanks - will do that - not in until Mon pm though.

[maniac]

So your users don't have a roaming profile and don't have a mandatory profile, so therefore they are logged on with just a local profile created from the workstations default profile, and the GPO settings. (Basically the 'profile' line in their AD entry is left blank, correct?)

If this is the case, then it could be the ntuser.dat file contained in the local default profile that is causing the problems, more than likely because of permissions within the registry hive rather than the file permissions.

So as well as checking the network default profile, I would also check one of the local ones in the same way.

Mike.

[ajbritton]

Good point Maniac. That's definitely worth checking.

[chrbb]

The users currently have a roaming profile - the profile path is set in the profile line in AD. I'm intending to do away with these profiles.
I've had an idea what to do - I've recently done a clean install of xp on one of the computers, so I might copy that computer's default profile to one of the computers with the default profile that causes me a problem. then see if my gpo is being picked up.

[chrbb]

Sorted now! Cleared all old profiles off suite computers and have made new default user profile. gpo applying ok.

Thanks for all suggestions learnt alot about default profiles this week and now going to lie down in v. dark room maybe even room 101!

[maniac]

Don't you love the feeling when you finally solve a problem like that! Wouldn't venture near room 101, tad controversial in there!

Glad you solved it, I learned a bit myself from trying to help you on this thread, including the whole idea of ditching roaming profiles which we currently use for our staff. The idea of not having a network profile as such and letting GPO do all the work appeals, as we do get a lot of issues with profiles. Currently investigating myself!

Mike.