Domain Admin + Roaming ProfilesLocked
When I use to have my W2k3 server setup, I would make a user account for myself, add it to the Domain Admins group, put in a profile path, setup a share and have it work as an account that was a roaming profile and would be able to be an administrator on the server as well as the workstations on the domain.
Now, tried to set it up the same way and I find that my roaming profile only works when im not a member of the domain admins group. (odd?) When its a member of domain admins, it just creates an empty folder (owner adminsitrators, ive tried manually changing this) and doesnt save the profile up to the server when i log off. I can add my user account to the Builtin/Administrators group and then I can get admin access on the server, but I want to be able to have Administrator access to the workstations and still be able to keep the roaming profile.
I dont think the permissions are to blame since it works correctly as soon as removed from the domain admins group, but they are set up like so:
I have the share permissions setup as: \\server\Profiles$\
Profile Group = Full
NTFS permissions setup as:
Profile Group = List Folder / Read Data, Create Folders / Append Data (for this folder only)
System = Full Control (all files and folders)
Creator Owner= Full Control (Subfolders and files only)
Ive tried rebuilding the server from scratch as I though SP2 might, for some strange reason, be to blame since it was the only difference since I had it setup before but it still happens.
Ive also tried playing with the following GP’s enabled:
-Do not check user ownership of roaming profile folders
-Add the Administrators security group to roaming user profiles
-Prevent Roaming Profile changes from propagating to the server
Ideally id like to have the user as a Domain Admin/Roaming Profile setup (its been driving me crazy why I could do this before but not anymore).
Someone suggested to me that Instead I could setup the user account as a roaming profile / Builtin/Administrator and then also define a GP to make the user a local admin on the workstations. Im not quite sure what would be the best way to do that though (without changing the workstation settings workstation by workstation) and I dont like this method as much because its extra GP’s/linked OU’s to maintain.
Thanks for any ideas!