General discussion

Locked

User Profiles - Windows 2000

By StormRage ·
I've been all over the NET for this query, yet no success to date...

How can one apply Administrator permissions to newly created user profiles by default?... (Thereby preventing having to Take Ownership every time, to allow access to the user's profile or home directory)

Thanks in advance.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by Blackcurrant In reply to User Profiles - Windows 2 ...

Hi

I am not sure you can do this, though I may be wrong. It seems to me to be a dangerous procedure to assign local administrative rights to new accounts.

Maybe there is an alternative solution to your problem... What are you trying to achieve?

Collapse -

by StormRage In reply to

It is just to cumbersome to "Take Ownership" of a user's profile to do adjustments. After taking Ownership, the perms have to be added for the specific user giving him/her full access. (else the client machine complains about access permissions) Being the only IT personel around, and having to train a user to become an IT support personel, this is just to much "fiddling". :)

Apparently Windows 2003 server allows this by enabling the "Add the Administrators security group to roaming user profiles" via the Group Policy "Computer Configuration\System\User Profiles". Somewhere on the net I noticed that this was fair practice with NT 4.0, yet MS only allowed it after SP2 with 2000. Yet, with 2000 I can't find a related feature... (though the server has SP4 with SRP1 .. ie SP5)

My second problem being: When a new user is created, upon first logon, the new user profile is not created from the "\netlogon\Default User" network share which was amended and copied across via the system control panel.

Any advice will be greatly appreciated in finally solving these two issues.

Once again. Thank a mil.

Collapse -

by Blackcurrant In reply to User Profiles - Windows 2 ...

Hi again

Well, I am not sure I understand exactly what you want to do.

When I assign users to computers, I make some of them local administrators. They can then perform simple system maintenance tasks. So the user has a normal domain account, but with local admin rights. However, this seems too simplistic, so I am not sure I really get what it is you want the users to achieve.

How many users do you have? And, how many users do you need to assign admin rights to?, on how many computers?

Also, you only need to change permissions once, to allow users access to particular folders?

If you can say exactly what you want your people to do, we can offer more specific (and probably more useful), advice.

Collapse -

by StormRage In reply to

I require Administrator rights to the (network shared) user profiles directory. Which by default only has CREATOR/OWNER and SYSTEM full permissions. This is only for two network users.

The Domain Users total 63 over 5 domains. Four domains being sub-domained. Only two users is assigned membership to the local Administrator Group on the main domain, inclusive of Domain & Enterprize Administrator rights of which their accounts need roaming functionality.

Regarding the permission change: Should I take administrator ownership of a user's profile. Said user can't load their profile unless they are specifically added with full control to their profile directory.

Herwith the details:-

Parent Folder:
SMB Share:
Domain Users - Full Control
NTFS Security:
Creator/Owner - Full Control - Subfolder & Fils Only
Domain Users - List Folder/Read Data & Create Folders,Append Data
Enterprize Admins - Full Control - This Folder,subfolder,files
SYSTEM - Full Control - This Folder,subfolders, files

This configuration does not allow Admin access to the newly created user profiles. (Access denied)

After taking ownership, the specific user receives the message:
"Windows cannot copy file \\server\profile\user to location c:\Documents and Settings\user\ Contact your system administrator. Access denied."

Therefore that specific user has to be given - Full Control - This folder,subfolder, files on his/her profile directory to allow loading of the profile.

---------------------------------------------------------------

Most interesting furthermore: Should I create a custom default user profile, applicable to all new users of the main domain and place that new default profile in \\server\netlogon\Default User, (via the Control Panel) which should be copied from the server to the new user's upon first logon, this new default profile does not reflect....

--------------------------------------------------------------

Your aid is greatly appreciated.

Collapse -

by StormRage In reply to User Profiles - Windows 2 ...

Thanks for the assistance to date.

Finally I found it... :)

GPO: Computer Configuration, Administrative Templates, System, and Logon -> Select the Add the Administrators security group to roaming user profiles.

Problem one solved. Now just to get the Default User profile from the netlogon share to apply to new users....

Collapse -

by Blackcurrant In reply to User Profiles - Windows 2 ...

Hi

Well, I have never used Roaming Profiles and maintain just one domain with about the same number of users. I would manually create the neccessary permissions each time I created a new user - However, I have had a quick search of Microsoft's site and have found the following:

http://support.microsoft.com/kb/222043/en-us

http://support.microsoft.com/kb/257848/en-us


I hope this information helps you out.

Collapse -

by StormRage In reply to

Thanks for the continual assistance.

Out of frustration I have set the "Add the Administrators security group to roaming user profiles" policy applicable to the "Default Domain" policy AND "Default Domain Controller" policy. This finally allowed Administrator access to the newly created profile without having to do the change of perms excercise. Although, what I still do wonder about, is whether there is a diference between which of the two policies actually really activates the feature? (Surely only one of these policies is required)

The creation of a new user profile via the netlogon\Default User share unfortunately still evades me.

Somehow I believe this might be related to a policy, yet which one, still remains unsolved...

Back to Windows Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums