Default User Profile Locks Down Admin!

[Guest]

Hey everyone...I've got a strange problem/question.

Here's the situation.

We're on a Domain "X".
Setting up a machine with Windows XP Pro SP2 for an Image. OK.
Everything is about ready to go (Before we SysPrep, and create the image for
it), so we begin creating the default user profile.

NOTE: The Domain has user accounts seperated by "users" and "administrators".

Creating the Default User Profile:
Login as a "user" account. Setup everything we need (Drive Mappings,
Shortcuts, etc etc.). Logout.
Login as an "admin" account. Delete the current default user profile, and
re-create using the previous login. Correct.

Now, whenever an ADMIN logs in to this machine, and if that admin's profile
is created from the default user profile, the admin is locked down!!! It's
as if the default user profile is over-riding priviledge settings from the
domain!
(For an example, when an admin who's profile was created from the default
profile attemps to use "Add/Remove Programs", that admin will receive the
error that a USER would normally receive: "Add or Remove Programs has been
restricted. Please check with your Administrator".

Any ideas how to stop this "Priviledge Over-ride" from happening?...or what
we could have done to CAUSE it to happen?

(We've built several other images, and this has never happened before)

We'll probobally just rebuild this one image that is giving us troubles, but
we're interested to know WHY it happened.

Thanks!

 

[Jim Smith]

If I did not misread what you said, you are doing this just backwards from
what I do.

I set everything up as I need it in the local administrator profile, then
log on as a domain admin and copy the administrator profile to the default
user profile.

You are creating administrator profiles from user accounts that have lower
priviledges and therefore you are getting access restrictions.

Try creating profiles from the top down instead for from the bottom up.

 

[Guest]

This is also what I've tried. If we create the default user profile top
down, we have a problem with a program that acts different as an admin vs. a
regular user, so because of this, it's not recommended to build the default
user profile top down.

The strange part about it is, it's only this ONE TIME so far that we've
experienced this. Every other LAN Admin, including myself, builds the
default user profile from a restricted user account, and has never had
problems.

We can't figure out what was done differently in this Image creation that
would actually cause such a crazy lockout.

(i.e. it makes sense what you say. Since we built the default user profile
off a restricted account, the registry settings carry over to the LAN Admin's
profile, and thus restrict any LAN Admin who might login...)
(HOWEVER: Why has this never happened before? We assume that the domain
somehow, should usually override registry settings for the LAN Admin...and
give that admin full access....but for some reason it did not happen on this
image.)

Just wondering WHY! haha.

 

[Jim Smith]

Are your "users" classified as local administrators on each machine they
use? If not many software programs will not behave.

 

[Guest]

We do not usually give Admin rights locally for our "users". If required, we
do so...but usually we allow the domain controller to assign the appropriate
rights, instead of having user accounts on every machine.

This is an interesting point you bring up there. Perhaps it might work out
more appropriately, if when building the default user profile, we give that
"user base" Admin rights only for building the default user profile.

We'll have to test if after a real "user" logs in, does the Domain
Controller lock them down like it should!

Thanks, we'll test this idea!

 

[ruudvdvelden]

Hello,

Don't know if this is interesting information to you:

Changes in behavior of the SysPrep and RIPREP tools after you install
Windows XP Service Pack 2
http://support.microsoft.com/default.aspx?scid=kb;en-us;887816

Regards,
Ruud