• Creator
  • #2265977

    Domain Admin + Roaming Profiles


    by peter ·

    When I use to have my W2k3 server setup, I would make a user account for myself, add it to the Domain Admins group, put in a profile path, setup a share and have it work as an account that was a roaming profile and would be able to be an administrator on the server as well as the workstations on the domain.

    Now, tried to set it up the same way and I find that my roaming profile only works when im not a member of the domain admins group. (odd?) When its a member of domain admins, it just creates an empty folder (owner adminsitrators, ive tried manually changing this) and doesnt save the profile up to the server when i log off. I can add my user account to the Builtin/Administrators group and then I can get admin access on the server, but I want to be able to have Administrator access to the workstations and still be able to keep the roaming profile.

    I dont think the permissions are to blame since it works correctly as soon as removed from the domain admins group, but they are set up like so:

    I have the share permissions setup as: \\server\Profiles$\
    Profile Group = Full

    NTFS permissions setup as:
    Profile Group = List Folder / Read Data, Create Folders / Append Data (for this folder only)
    System = Full Control (all files and folders)
    Creator Owner= Full Control (Subfolders and files only)

    Ive tried rebuilding the server from scratch as I though SP2 might, for some strange reason, be to blame since it was the only difference since I had it setup before but it still happens.

    Ive also tried playing with the following GP’s enabled:
    -Do not check user ownership of roaming profile folders
    -Add the Administrators security group to roaming user profiles
    -Prevent Roaming Profile changes from propagating to the server

    Ideally id like to have the user as a Domain Admin/Roaming Profile setup (its been driving me crazy why I could do this before but not anymore).

    Someone suggested to me that Instead I could setup the user account as a roaming profile / Builtin/Administrator and then also define a GP to make the user a local admin on the workstations. Im not quite sure what would be the best way to do that though (without changing the workstation settings workstation by workstation) and I dont like this method as much because its extra GP’s/linked OU’s to maintain.

    Thanks for any ideas!

All Answers

  • Author
    • #2577541


      by peter ·

      In reply to Domain Admin + Roaming Profiles


    • #2513681

      Figure it out?

      by glenn.altemose ·

      In reply to Domain Admin + Roaming Profiles

      Did you figure this out? I’m facing the exact same issue – if a user is part of the domain admins group, their profile on the server is never created (or, if just added to the group, no longer updated); once domain admins is removed, all is well…

      • #2512801

        RE: Figure it out?

        by peter ·

        In reply to Figure it out?

        I’m sorry to say I never did. I got really frustrated with this problem and believe it or not, I ended up reformatting the box and im not one to usually like going that route (would have preferred to find the source of the problem so it doesn’t happen again). I cant remember if its working or not now. I have a feeling it didn’t work when I reformatted the box. I know im not using roaming profiles anymore. I will go and test this when I get home from work today (its a test server I have at home, currently Enterprise 2k3 server w/ all windows updates). Id be interested in working with you to resolve this even if my machine isn’t doing it anymore. I Documented exactly what I did to that server step by step. Maybe you did something similar that we could figure out caused it?

Viewing 1 reply thread