+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 28 of 28
Windows Thread, changing from roaming profiles to gpo in Technical; The permissions in a profile cannot simply be changed my modifying the file system ACLs as per your example. When ...
  1. #16
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,508
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47

    Re: changing from roaming profiles to gpo

    The permissions in a profile cannot simply be changed my modifying the file system ACLs as per your example. When the profile is copied from the source PC to the network, it MUST be copied using the 'Copy To...' function and the permissions modified at that point. This modifies not only the ACLs on the files, but also the ACLs within the registry (within the NTUSER.DAT file). If this is not done, then GP settings cannot be applied because the user trying to load the profile does not have the necessary permissions to write to the registry.
    So looks like it wasn't set up right then, at the time the company did say something about they'd discovered gpo didn't work with profiles, but I got the distinct impression they considered me too new and female to have any say on the matter. Any suggestions as to what I could do?

  2. #17

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,070
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144

    Re: changing from roaming profiles to gpo

    You can open up the user.man file in regedit and set the access permissions manually. This is my prefered method for setting up a mandatory profile, although other methods are perfectly good. Just I was taught to do it this way. Remember to unload it after you're done making changes, else it locks the profile so no one can use it!

    Mike.

  3. #18
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: changing from roaming profiles to gpo

    As Maniac says, you can edit the permissions in the user.man file using regedit, but how do you know what they are supposed to be?

    My understanding is that when you use the 'Copy To...' function to modify the permissions (eg grant permission to Everyone), it does more than just a blanket grant of Full Control to the whole registry hive.

    Permissions on policy related keys are not the same as permissions elsewhere in the user hive.

    If I were chrbb, I would want to re-create the profile from scratch.

  4. #19
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,508
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47

    Re: changing from roaming profiles to gpo

    Do you mean recreate the default profile for the individual computer from scratch?

  5. #20

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,070
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144

    Re: changing from roaming profiles to gpo

    OK little bit confused here, don't think I've fully grasped the concept of how your systems are setup.

    Can you explain what you had, then what you currently get, then what you're trying to achieve. That way I might have a better idea of what's going on. Sorry!

    Mike.

  6. #21
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,508
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47

    Re: changing from roaming profiles to gpo

    I'm totally confused and it's my network!
    Right current setup -roaming profiles for staff, mandatory for pupils. A custom default user profile was created on one computer with security set for everyone to read change etc. The other computers were then ghosted from this image.
    Once users had logged on their copy of this profile was stored on the server.
    We now have a new server and due to roaming profiles being a pain with teacher's laptops being used offline I want to just use gpo and dispense with the roaming and mandatory profiles. But the default profile on each computer seems to be overiding the gpo settings, I can only get the computer to accept the gp settings if I set security on the computers default profile to deny for everyone

  7. #22
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: changing from roaming profiles to gpo

    Although I have 'dissed' the idea of using regedit to set the registry permissions in a profile, it might be worth using it to check the registry permissions on network default user profile

    1 - On an XP machine, run REGEDIT
    2 - Select the HKEY_USERS hive root
    3 - Open the File menu and select Load Hive...
    4 - Browse to \\(yourservername)\netlogon\Default User
    5 - Select NTUSER.DAT and click Open
    6 - Enter a name (eg NETDEFUSER) and OK
    7 - Open up the HKEY_USERS key
    8 - Select the key with the name you entered (eg NETDEFUSER)
    9 - Open the Edit menu and select Permissions...
    10 - Check and record the configured permissions for each group/user
    11 - Click Cancel to close the Permissions dialog box
    IMPORTANT - Make sure you do the following steps
    12 - Ensure the key with the name you entered is still selected
    13 - Open the File menu and select Unload Hive... then click Yes
    14 - Close regedit

    Report back with the permissions that you find.

  8. #23
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,508
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47

    Re: changing from roaming profiles to gpo

    Thanks - will do that - not in until Mon pm though.

  9. #24

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,070
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144

    Re: changing from roaming profiles to gpo

    So your users don't have a roaming profile and don't have a mandatory profile, so therefore they are logged on with just a local profile created from the workstations default profile, and the GPO settings. (Basically the 'profile' line in their AD entry is left blank, correct?)

    If this is the case, then it could be the ntuser.dat file contained in the local default profile that is causing the problems, more than likely because of permissions within the registry hive rather than the file permissions.

    So as well as checking the network default profile, I would also check one of the local ones in the same way.

    Mike.

  10. #25
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: changing from roaming profiles to gpo

    Good point Maniac. That's definitely worth checking.

  11. #26
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,508
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47

    Re: changing from roaming profiles to gpo

    The users currently have a roaming profile - the profile path is set in the profile line in AD. I'm intending to do away with these profiles.
    I've had an idea what to do - I've recently done a clean install of xp on one of the computers, so I might copy that computer's default profile to one of the computers with the default profile that causes me a problem. then see if my gpo is being picked up.

  12. #27
    chrbb's Avatar
    Join Date
    Oct 2005
    Location
    Midlands
    Posts
    1,508
    Thank Post
    141
    Thanked 67 Times in 62 Posts
    Rep Power
    47

    Re: changing from roaming profiles to gpo

    Sorted now! Cleared all old profiles off suite computers and have made new default user profile. gpo applying ok.

    Thanks for all suggestions learnt alot about default profiles this week and now going to lie down in v. dark room maybe even room 101!

  13. #28

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,070
    Thank Post
    210
    Thanked 430 Times in 310 Posts
    Rep Power
    144

    Re: changing from roaming profiles to gpo

    Don't you love the feeling when you finally solve a problem like that! Wouldn't venture near room 101, tad controversial in there!

    Glad you solved it, I learned a bit myself from trying to help you on this thread, including the whole idea of ditching roaming profiles which we currently use for our staff. The idea of not having a network profile as such and letting GPO do all the work appeals, as we do get a lot of issues with profiles. Currently investigating myself!

    Mike.

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Roaming / MAN Profiles..
    By Grommit in forum Windows
    Replies: 10
    Last Post: 5th September 2007, 08:23 AM
  2. Changing from roaming profiles to gpo
    By chrbb in forum Windows
    Replies: 5
    Last Post: 30th March 2007, 06:01 PM
  3. Roaming Profiles - help please
    By robbied69 in forum Windows
    Replies: 2
    Last Post: 25th September 2006, 05:13 PM
  4. Roaming Profiles Problem
    By Gordie in forum General Chat
    Replies: 4
    Last Post: 22nd June 2006, 08:55 AM
  5. Roaming Profiles
    By ChrisH in forum Windows
    Replies: 60
    Last Post: 21st November 2005, 10:14 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •