Administrator profile copied to defaul on several thousand PCs

[Matthew Kitchin \(Usenet/Lists\)]

I just found out the group deploying our XP SP2 desktops (a few thousand)
was making customizations to the administrator profile, and then copying
that profile to the default user. I made a change to group policy, and then
realized that all PCs that had this done aren't taking the change. This
seems to me the one common thing on all the problem PCs. After doing a
little research on this topic, I see that it is not the recommended way to
do things. I can't for the life of me figure out how to fix the machines
that are already affected.

Anyone have any ideas?

Thanks.

 

[Massimo]

I just found out the group deploying our XP SP2 desktops (a few thousand)
was making customizations to the administrator profile, and then copying
that profile to the default user. I made a change to group policy, and then
realized that all PCs that had this done aren't taking the change.

The customized Administrator profile was the local one or the domain one?

Do you use roaming profiles?

Did you change a user policy or a machine policy?

If it was a user policy, does it apply when the user logs on to another
machine?

By the way, which policy did you change?


Massimo

 

[Matthew Kitchin \(Usenet/Lists\)]

Massimo wrote:

Thanks for the response. Answers inline.

The customized Administrator profile was the local one or the domain
one?

The local account

Do you use roaming profiles? No

Did you change a user policy or a machine policy?

Both, but the particular one I'm trying to fix at the moment is user.

If it was a user policy, does it apply when the user logs on to
another machine?

Yes. It works on machines where this wasn't done.

By the way, which policy did you change?

IE Proxy connection settings.

Thanks again,
Matthew

 

[Massimo]

Both, but the particular one I'm trying to fix at the moment is user.

Yes. It works on machines where this wasn't done.

IE Proxy connection settings.

I think I've seen something similar with a folder redirection policy.

I defined the policy at the domain level, then had a "test" account log on
and get it, then used this account's profile as a default profile for the
whole domain (by copying it to NETLOGON\Default user); when a new user
logged on to the domain, his profile would be copied from the domain default
user one, but his folders would be pointing to the test account's ones, even
if the policy said they should go to \\server\folders\%username%.

It looks like there is some sort of flag in a user profile which tracks if a
given policy has already been applied to a given user; when the test
account's profile was used as the default one, it already had this flag
set... and the policy wasn't applied again to new users because the system
thought this had already been done.

This issue seems to be somewhat related to your problem... although I don't
have any clue to what the solution may be in your case; but maybe this can
point you in the right direction.

By the way, have you already tried using GPUPDATE /FORCE?


Massimo

 

[Matthew Kitchin \(Usenet/Lists\)]

I think I've seen something similar with a folder redirection policy.

I defined the policy at the domain level, then had a "test" account
log on and get it, then used this account's profile as a default
profile for the whole domain (by copying it to NETLOGON\Default
user); when a new user logged on to the domain, his profile would be
copied from the domain default user one, but his folders would be
pointing to the test account's ones, even if the policy said they
should go to \\server\folders\%username%.
It looks like there is some sort of flag in a user profile which
tracks if a given policy has already been applied to a given user;
when the test account's profile was used as the default one, it
already had this flag set... and the policy wasn't applied again to
new users because the system thought this had already been done.

This issue seems to be somewhat related to your problem... although I
don't have any clue to what the solution may be in your case; but
maybe this can point you in the right direction.

By the way, have you already tried using GPUPDATE /FORCE?

That sounds similar. Yes, tried gpupdate, the registry keys for the policy
show up, but the profile doesn't 'obey' them.

 

[Matthew Kitchin \(Usenet/Lists\)]

Turns out I was compeltely off. All the PCs that were affected were
determined to by XP to be on a 'slow link'. Apparently PCs on a slow link
don't download large parts of group policy. We disabled slow link detection,
and all is well.