B
Bob F
Need your help(s) to confirm this behavior, I get the same results in a
fairly clean lab as well as a significantly more hoked up Production
environment.
On a domain controller, Windows 2000, SP3, using the ADUC snapin, create a
user. All actions are created/executed from the DC. Didn't matter whether
is was the PDC emulator or another writeable DC.
After the user is created, open the properties for that user and go to the
PROFILE tab. (using same ADUC session to create the user)
On the PROFILE TAB for the HOME FOLDER, click the CONNECT radio button and
select a drive letter, populate the TO: location with a UNC, like
\\servername\sharename\%username% and then OK the whole thing.
The system (not sure which actual component) then CREATES a folder in the
specified path with a substitution of %username% for the actual SAM ACCOUNT
LOGON name of the user.
Browse to the folder's root and check properties on the folder.
The FOLDER that is created has an OWNER that is specified as the user's
account, rather than ADMINISTRATORS.
If I use ADUC on a member server (Win2k) or from my XP workstation (Win2k3
Adminpack), the OWNER of a newly created user and folder combo is set
predictably to the ADMINISTRATORS group rather than the user.
Since I know that some of our production environment's policies and privs
have been hoked around with, I was suspecting an issue with the DEFAULT
OWNERS security settings in the DEFAULT DOMAIN CONTROLLERs and/or DEFAULT
DOMAIN Policy's setting. My lab environment is fairly pristine, no odd
modifications to the security or group policies.
This behavior occurs on both LOCAL CONSOLEs as well as TS Remote Admin
consoles. The LAB environment doesn't have any Win2k3 servers present
(production has a couple Win2k3, member only servers).
We're working on putting together a script to correct the security using
XCACLS or subinacl. So far, only figured out SUBINACL to change OWNER.
Shortly, I'll upgrade the lab to SP4 to see if the behavior continues. Just
an oddity for now. Making a migration from Netware NDS to a Netapp
FILER(CIFS) a little tricky. I'd like to remove the FULL control from the
user and only leave them with MODIFY. Having OWNERSHIP allows the user to
continue to maintain effective FULL control.
Spamblock in REPLY e-mail address--be sure to edit if privately replying
fairly clean lab as well as a significantly more hoked up Production
environment.
On a domain controller, Windows 2000, SP3, using the ADUC snapin, create a
user. All actions are created/executed from the DC. Didn't matter whether
is was the PDC emulator or another writeable DC.
After the user is created, open the properties for that user and go to the
PROFILE tab. (using same ADUC session to create the user)
On the PROFILE TAB for the HOME FOLDER, click the CONNECT radio button and
select a drive letter, populate the TO: location with a UNC, like
\\servername\sharename\%username% and then OK the whole thing.
The system (not sure which actual component) then CREATES a folder in the
specified path with a substitution of %username% for the actual SAM ACCOUNT
LOGON name of the user.
Browse to the folder's root and check properties on the folder.
The FOLDER that is created has an OWNER that is specified as the user's
account, rather than ADMINISTRATORS.
If I use ADUC on a member server (Win2k) or from my XP workstation (Win2k3
Adminpack), the OWNER of a newly created user and folder combo is set
predictably to the ADMINISTRATORS group rather than the user.
Since I know that some of our production environment's policies and privs
have been hoked around with, I was suspecting an issue with the DEFAULT
OWNERS security settings in the DEFAULT DOMAIN CONTROLLERs and/or DEFAULT
DOMAIN Policy's setting. My lab environment is fairly pristine, no odd
modifications to the security or group policies.
This behavior occurs on both LOCAL CONSOLEs as well as TS Remote Admin
consoles. The LAB environment doesn't have any Win2k3 servers present
(production has a couple Win2k3, member only servers).
We're working on putting together a script to correct the security using
XCACLS or subinacl. So far, only figured out SUBINACL to change OWNER.
Shortly, I'll upgrade the lab to SP4 to see if the behavior continues. Just
an oddity for now. Making a migration from Netware NDS to a Netapp
FILER(CIFS) a little tricky. I'd like to remove the FULL control from the
user and only leave them with MODIFY. Having OWNERSHIP allows the user to
continue to maintain effective FULL control.
Spamblock in REPLY e-mail address--be sure to edit if privately replying