Roaming Profile Security

M

minion

My office LAN has a single Windows 2003 Standard Server as PDC, with 5
workstations, all Windows XP Pro SP2.

Our main software application is hosted on the Server in a shared
folder. On each workstation, the application is started from a shortcut
directly to the main EXE file in this shared folder.

After a domain logon and using local profiles, the application starts
without any security warnings.

However, after changing to new roaming profiles, the application will
not start without the option to either "run" or "save" the EXE file.
Selecting "run" starts the application as normal.

The roaming profiles were created by first logging on locally to the
Server itself, so I imagine that this explains the higher security
level.

Of course this is only a small problem, but I would like to run this
application without the security warning. Could anyone advise me how to
achieve this?

Thanks
 
L

Lanwench [MVP - Exchange]

In
minion said:
My office LAN has a single Windows 2003 Standard Server as PDC, with 5
workstations, all Windows XP Pro SP2.

Our main software application is hosted on the Server in a shared
folder. On each workstation, the application is started from a
shortcut directly to the main EXE file in this shared folder.

After a domain logon and using local profiles, the application starts
without any security warnings.

However, after changing to new roaming profiles, the application will
not start without the option to either "run" or "save" the EXE file.
Selecting "run" starts the application as normal.

The roaming profiles were created by first logging on locally to the
Server itself, so I imagine that this explains the higher security
level.
Click to expand...

Actually, that might explain a *lot* of things - that's not the way to
create
roaming profiles. User accounts should never be able to log into a DC
directly! If they can, they are either members of groups they shouldn't be
in, or someone has mucked with the default policies....either way, that
needs to be addressed.

The way you create roaming profiles is to specify the profile path in the
users' ADUC settings - such as \\server\profiles$\%username%. Then, when the
user logs in, and logs out, he has a roaming profile - if there was a
locally cached profile already on that workstation, that's the profile they
get.

(unrelated note - make sure you've got folder redirection policies for My
Documents, at the very least - and keep the profiles *tiny*.)

Try a test with a new user account, created via this method, and see what
happens.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Unable to copy roaming user profile 4
Roaming settings without roaming profiles 4
Roaming profiles / roaming applications? 4
Printers and roaming profiles 3
Local Settings folder being included to Roaming Profile 2
Enable roaming profiles and folder redirection... 1
Roaming Profile 1
Roaming Profile issues 3

Top