Currently the admin's group contains the domain users goup
is this correct? It dosent see that it should be setup
this way.
I agree with Paul there - huge security issue.
First, which Admins group? The local "Administrators" group on the client
machines? On the DC? On some other server? SIDWALK from the Windows 2000
Support Tools will help you find out.
Some folks like to make a domain's Domain Users group a member of all of the
stations' Administrators group because otherwise broken software doesn't
work. I usually hit these folks with a big, painful stick and then redo
their security for them.
If i remove the domain users group from the
admin's group, my users lose their profiles when they log
in. What chould be the problem / fix?? Any ideas???
Oh geez, and the local directory permissions are messed up, too.
The original directory permissions for C:\Documents And Settings are:
Local Administrators: Full Control
Everyone, Users and Power Users: Read, Read and Execute, List Folder
Contents
SYSTEM: Full Control
The Default User folder inherits these permissions and also has the Hidden
flag turned on.
The All Users folder has a copy of these (rather than inheriting them)
except Power Users have additional rights (Everything except Change
Permissions and Take Ownership).
All other folders have Administrators, SYSTEM, and the owning user having
Full Control.
See if resetting these helps restore profile access to limited users.
Ownership of these doesn't seem to make a difference - I have a couple of
limited users on my home Win2K machine and their profile folder's owner is
Administrators (the local group). As long as each user has Full Control
over their own profile folder they should be able to use it.
One more thing though: Does a brand new user - one who's never had a profile
on that machine before - have the same difficulty?
