Local profiles for network users without granting admin rights

B

Barney Mowder

All-

This has got me barking at the walls.

I manage a heterogenous network with NT 4.0 PDC and BDC servers
maintaining a single NT domain for clients logging in from Win98 and
NT 40 workstations.

I have been trying to add an XP Pro laptop to the network in such a
way that the user profile for a user logged onto the laptop is the
same whether or not the laptop is connected to the LAN.

This laptop is going to be used by people travelling abroad, and will
not always be connected to the LAN. I manage this portion of the
function of the machine through Globesoft's Multinetwork Manager 6.5.
I have tried using the 'profile sharing' feature of Multinetwork
manager to share a local user profile between a local, standalone
account on the machine, and a LAN domain user, but without success.

The behaviour I am seeing is this:

Whenever a member of the LAN domain logs onto the XP Pro laptop, a
local, temporary profile is created, and when the user logs off, the
profile is discarded.

The only way I can get the profile to be non-ephemeral is to grant
the LAN user local admin rights on the XP Pro laptop, which
effectively contravenes any attempt to secure the machine.

I do NOT want to set up a roaming profile, because my users move
from machine to machine on my network, and all the machines are
different, so the profile updating will hose up the user's environment
on some other machine.

How can I make the created profiles stay on the XP machine between
sessions WITHOUT granting admin privilege to the LAN domain users?

I have been dallying with a hack to the registry which resets the
state of the created local profile from 644 to 256,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\<Profile-ID>]
"State"=dword:00000100

which seems to preserve the profile through 1 reboot, but which must
be forced before each logoff. This seems kludgy in the extreme- Is
there a better answer?
 
B

Barney Mowder

All-

This has got me barking at the walls.

I manage a heterogenous network with NT 4.0 PDC and BDC servers
maintaining a single NT domain for clients logging in from Win98 and
NT 40 workstations.

I have been trying to add an XP Pro laptop to the network in such a
way that the user profile for a user logged onto the laptop is the
same whether or not the laptop is connected to the LAN.

This laptop is going to be used by people travelling abroad, and will
not always be connected to the LAN. I manage this portion of the
function of the machine through Globesoft's Multinetwork Manager 6.5.
I have tried using the 'profile sharing' feature of Multinetwork
manager to share a local user profile between a local, standalone
account on the machine, and a LAN domain user, but without success.

The behaviour I am seeing is this:

Whenever a member of the LAN domain logs onto the XP Pro laptop, a
local, temporary profile is created, and when the user logs off, the
profile is discarded.

The only way I can get the profile to be non-ephemeral is to grant
the LAN user local admin rights on the XP Pro laptop, which
effectively contravenes any attempt to secure the machine.

I do NOT want to set up a roaming profile, because my users move
from machine to machine on my network, and all the machines are
different, so the profile updating will hose up the user's environment
on some other machine.

How can I make the created profiles stay on the XP machine between
sessions WITHOUT granting admin privilege to the LAN domain users?

I have been dallying with a hack to the registry which resets the
state of the created local profile from 644 to 256,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\ProfileList\<Profile-ID>]
"State"=dword:00000100

which seems to preserve the profile through 1 reboot, but which must
be forced before each logoff. This seems kludgy in the extreme- Is
there a better answer?

It's me again-

I still don't have a solution or a clue about this problem. Can anybody help?

Barney
 
I

IBTerry [MSFT]

If I understand you correctly what you want is default behavior. A user
should be able to logon w/ cached credentials(ie domain profile) if the
machine is unable to logon to the domain.
Are you sure you don't have this policy enabled?
274152 Using Group Policy to Delete Cached Copies of Roaming Profiles
http://support.microsoft.com/?id=274152
This is a Win2K article, but the same thing applies to XP.

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
 
B

Barney Mowder

If I understand you correctly what you want is default behavior. A user
should be able to logon w/ cached credentials(ie domain profile) if the
machine is unable to logon to the domain.
Are you sure you don't have this policy enabled?
274152 Using Group Policy to Delete Cached Copies of Roaming Profiles
http://support.microsoft.com/?id=274152
This is a Win2K article, but the same thing applies to XP.

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.

Terry-

Thank you for your time! I really appreciate your reply.

Unfortunately, that doesn't work. The scenario is that I do not
want network based or roaming profiles to be used by the laptop AT
ALL, because they screw up the environment of the local machines when
a user logs on, unless the machines he logs onto are all identical.
As things stand, A user on my domain may have to log onto several
different machines in the course of a day, and these may be Win98, NT
40, or XP machines. A network-served profile just doesn't work in
this environment.

I need a way for a network user to log onto the XP machine and have
the same (i.e., the local) profile whether or not he is connected to
the NT domain.

I need to be able to do this without granting the user local
administrator privilege on the XP machine.

I have tried creating the user as a local user of the XP local
machine domain, but when he logs onto the network, the machine won't
use the local profile (because he's in a different domain), but
creates a 'default' profile, and deletes it when the user logs off,
unless the local user is granted adminstrator privelege on the local
XP machine.

So far, no soap. I have difficulty believing that no-one has ever
had this problem before, but I'll be darned if anyone on the Web has
ever mentioned it...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top