Weird Profile Problem

  • Thread starter HappyValleyTech
  • Start date

H

HappyValleyTech

Howdy!

I've run into an interesting problem involving multiple profiles and changes
to user groups. Previously, we migrated our end users to a new domain, and
hacked the registry of each pc
(HKLM/Software/Microsoft/WindowsNT/ProfileList) to point the users' new local
profiles to their old local profiles.

For almost a year, this worked great. Then, in response to ever-increasing
security threats, we decided to set up a second profile for each end user
that didn't have administrative rights. (For political reasons, we can't
simply strip our end users of admin rights in general, more's the pity.)

Here's what we did: We created a new OU with "local administrator accounts",
logged into each pc and added the new account, then removed the pre-existing
account from the administrators group.

For some of our users, including the ones we tested our procedure with,
everything worked great. For those who still had accounts pointing to the
local profiles from the previous domain, things went downhill fast. Every
time one of these users logs in, Windows creates a brand new profile, with
the following naming scheme: Username.Domainname. The next time the user logs
in, the profile is named Username.Domainname.000, then
Username.Domainname.001, etc.

Has anyone seen something like this before? We've tried giving the problem
profiles full rights to the documents and settings folder, with the thought
that we'd accidentally stripped away rights we hadn't intended when we took
them out of the administrators group, but it didn't touch the problem at all.

Reversing the procedure and returning the profile to the administrators
group solves the problem, but leaves us back at square one, securitywise.

Any insight would be greatly, greatly appreciated, as I've been researching
this problem for several weeks to no avail.

Thanks in advance!
 
Ad

Advertisements

A

Anteaus

This is almost certainly happening because the accounts, although
identically named, have different SIDs.

Never looked at this kind of situation in detail, but I think you may need
to assign all users to a common group, and grant ths group rights to
Documents and Settings. This will of course mean that users can access each
others' data. There may be other workarounds.

A better resolution may be in the form of a number of third-party utilities
that emulate the Linux su or sudo commands. This allows an ordinary user to
self-promote when needed.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top