H
HappyValleyTech
Howdy!
I've run into an interesting problem involving multiple profiles and changes
to user groups. Previously, we migrated our end users to a new domain, and
hacked the registry of each pc
(HKLM/Software/Microsoft/WindowsNT/ProfileList) to point the users' new local
profiles to their old local profiles.
For almost a year, this worked great. Then, in response to ever-increasing
security threats, we decided to set up a second profile for each end user
that didn't have administrative rights. (For political reasons, we can't
simply strip our end users of admin rights in general, more's the pity.)
Here's what we did: We created a new OU with "local administrator accounts",
logged into each pc and added the new account, then removed the pre-existing
account from the administrators group.
For some of our users, including the ones we tested our procedure with,
everything worked great. For those who still had accounts pointing to the
local profiles from the previous domain, things went downhill fast. Every
time one of these users logs in, Windows creates a brand new profile, with
the following naming scheme: Username.Domainname. The next time the user logs
in, the profile is named Username.Domainname.000, then
Username.Domainname.001, etc.
Has anyone seen something like this before? We've tried giving the problem
profiles full rights to the documents and settings folder, with the thought
that we'd accidentally stripped away rights we hadn't intended when we took
them out of the administrators group, but it didn't touch the problem at all.
Reversing the procedure and returning the profile to the administrators
group solves the problem, but leaves us back at square one, securitywise.
Any insight would be greatly, greatly appreciated, as I've been researching
this problem for several weeks to no avail.
Thanks in advance!
I've run into an interesting problem involving multiple profiles and changes
to user groups. Previously, we migrated our end users to a new domain, and
hacked the registry of each pc
(HKLM/Software/Microsoft/WindowsNT/ProfileList) to point the users' new local
profiles to their old local profiles.
For almost a year, this worked great. Then, in response to ever-increasing
security threats, we decided to set up a second profile for each end user
that didn't have administrative rights. (For political reasons, we can't
simply strip our end users of admin rights in general, more's the pity.)
Here's what we did: We created a new OU with "local administrator accounts",
logged into each pc and added the new account, then removed the pre-existing
account from the administrators group.
For some of our users, including the ones we tested our procedure with,
everything worked great. For those who still had accounts pointing to the
local profiles from the previous domain, things went downhill fast. Every
time one of these users logs in, Windows creates a brand new profile, with
the following naming scheme: Username.Domainname. The next time the user logs
in, the profile is named Username.Domainname.000, then
Username.Domainname.001, etc.
Has anyone seen something like this before? We've tried giving the problem
profiles full rights to the documents and settings folder, with the thought
that we'd accidentally stripped away rights we hadn't intended when we took
them out of the administrators group, but it didn't touch the problem at all.
Reversing the procedure and returning the profile to the administrators
group solves the problem, but leaves us back at square one, securitywise.
Any insight would be greatly, greatly appreciated, as I've been researching
this problem for several weeks to no avail.
Thanks in advance!