User profiles on domain controller - Very strange

G

Guest

Hi all,

I hope this is the right NG for my question:

I have a mixed environment with W2K3 and W2K DCs. During the last weeks I
realized that on one of our domain controllers (W2K) there were some user
profiles under Documents and Settings which - regarding to their name - seem
to belong to some users in a remote location. I also found such user profiles
(not all of them and not all the same users) on the DC (W2K) on the remote
site where these users are located. The user profiles do not have all the
common folders in it, e. g. the Desktop and MyDocuments are missing. It seems
there is only information about some Certificates and CRLs and such in it
because the only folders with files in it are under Application Data ->
Microsoft within folders like CryptnetUrlCache, Crypto, Internet Explorer,
Protect and System Certificates.

The remote site is connected to our headquarter via a VPN connection between
two firewalls over a leased line. Some of our users connect to an application
via Citrix, so I thought the profiles maybe derive from those connections but
as it turned out not all of the users who have profiles on the server use
Citrix.

Any help is greatly appreciated.

Thanks,
The Kirschi
 
S

Steven L Umbach

That is typically what you see when a user can access a share on a domain
computer and encrypt files in that share. The computer then creates the
profile for the user and impersonates the user to request an EFS certificate
to store in that profile. The user would need write access to the folder in
order to encrypt the files and the encryption attribute would need to be
enabled on a folder in the share. So I would start by checking that out. You
can use the cipher command to check for encrypted folders on a computer. By
default on a domain controller regular domain users would not have write
access to any default share and the only share they would see is the sysvol
share. If you have audting for account management enabled on those domain
controllers you might find events recorded in the security log that may give
an idea what is going on. The user profile creation date may also be
helpful. --- Steve
 
G

Guest

Thanks Steve. That was exactly the point.

Steven L Umbach said:
That is typically what you see when a user can access a share on a domain
computer and encrypt files in that share. The computer then creates the
profile for the user and impersonates the user to request an EFS certificate
to store in that profile. The user would need write access to the folder in
order to encrypt the files and the encryption attribute would need to be
enabled on a folder in the share. So I would start by checking that out. You
can use the cipher command to check for encrypted folders on a computer. By
default on a domain controller regular domain users would not have write
access to any default share and the only share they would see is the sysvol
share. If you have audting for account management enabled on those domain
controllers you might find events recorded in the security log that may give
an idea what is going on. The user profile creation date may also be
helpful. --- Steve
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Samba based Domain Controller 7
user profiles on a dc 4
domain migration: user profiles 2
Copy XP User Profiles - Permission Denied 1
Move CA problem 1
Offline folders sync all profiles 2
Problem migrating local profiles to domain profiles on XP 2
Moving Profiles to a New Domain 1

Top