Re: Local Policies with Roaming Profiles - Security ID Prob

From: Kris Hyde (k.hyde_at_umist.ac.uk)
Date: 04/29/03 

Date: 29 Apr 2003 02:10:13 -0700

Thanks for the posting Steve. I agree completely with the theory of
what you say... it just doesn't seem to work. Theory goes that as they
are only local policies, they should be stored in the Group Policies
folder in the system32 drectory. As long as I've configured the
security tab for that folder correctly, it should work a treat. And it
does, even when the profiles are set to roaming. The only prob arises
when a second computer tries overwrite the copy of the profile, then
all policies stop being applied. If there isn't some infomation within
the profile about the policies, then the prob must be to do with the
Security ID. When the second computer overwrites the origional profile
on the server, it must tag the profile with that computer's profile's
SID. I'm guessing that other computers won't then recognise that SID
and despite loading the Desktop, My Documents... etc, it refuses to
apply the local policies (I assume because it recognises that its not
a local SID).

Sadly, as people may have guessed, my knowledge of SIDs is poor. Is
there any way of convincing the computer to apply local policies to
what it will regard as non-local users? Or of somehow obtaining the
SIDs of each an individuals accounts on each computer and storing all
of these in their centrally stored profile, so that each computer will
regard it as 'local'?

Any help would be appreciated,

Kris

"Steven L Umbach" <n9rou@attbi.com> wrote in message news:<Mgkra.678978$S_4.728622@rwcrnsc53>...
> Security/group policies are not configured by user profiles. Use the
> gpedit.msc snap in toconfigure policies on a stand alone machine. The user
> configuration policies will apply equally to all users by default. --
> Steve
>
"Kris Hyde" <k.hyde@umist.ac.uk> wrote in message
news:da8e631b.0304280526.1c4ea566@posting.google.com...
> Hi,
>
> Due to restrictions within our organisation we cannot setup a child
> domain within the existing network for our group. Thus we have a
> workgroup, and an accout is setup on every computer for each user.
> Local policies are applied to the accounts at this stage. All the
> profiles on each computer then have their profile path set to the
> users' shared folder on the server, and local copies of the profiles
> are set to be automatically deleted. Thus, there is one copy of each
> profile which is downloaded on logon and updated on logout.
>
> The problem I have is this: When I transfer all of the profiles from a
> computer (call it Computer 1) all of the local policies are still
> applied when the users subsequently login. When I then try and repeat
> the procedure on a second computer (Computer 2) everything initally
> seems ok as users can log in and out of computer 2 fine, with all of
> the policies applied. However, when a user attempts to login to
> Computer 1, none of the policies are applied. Somewhere in the users
> profile folder on the server, the local policies for computer 2 have
> overwritten those for computer 1, and computer 1 can't read computer
> 2's policies (something to do with the Security ID?). The only way
> I've found around this problem is to give all the users on Computer 1
> Administrator priveleges, which is obviously not ideal!
>
> Does anyone know where this data may be stored within the profile, and
> how I can convince users to be able to access it without giving them
> full Admin rights? I'm guessing that I only have to play with the ACL
> of the file or soemthing.
>
> Cheers,
>
> Kris

Relevant Pages

  • Re: Local Policies and Roaming Profiles Prob
    ... configuration policies will apply equally to all users by default. ... > Local policies are applied to the accounts at this stage. ... > profile which is downloaded on logon and updated on logout. ... > applied when the users subsequently login. ...
    (microsoft.public.win2000.security)
  • RE: gp still tatooing!
    ... > more and more policies. ... > policies tatooed locally stored locopy of user profile and when the profile ... > when the affected user logs onto another workstation (the one that he had ... > never log on to) he gets a new local profile and no policies are applied to ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local Policies with Roaming Profiles - Security ID Prob
    ... identities associated with a user profile, ... Jim on computer 1 is not the same person as user Jim on computer 2 when it ... > are only local policies, they should be stored in the Group Policies ... I'm guessing that other computers won't then recognise that SID ...
    (microsoft.public.win2000.security)
  • RE: gp still tatooing!
    ... the article "Understanding Policy Tattooing" ... >> i check affected user with GPResults and it showes than no policies are ... >> policies tatooed locally stored locopy of user profile and when the profile ... >> never log on to) he gets a new local profile and no policies are applied to ...
    (microsoft.public.windows.server.active_directory)
  • Re: gp still tatooing!
    ... "Piotr Majcher" wrote in message ... > does anyone know how can I avoid tattooing local user profiles? ... >>>> i check affected user with GPResults and it showes than no policies ... >>>> policies tatooed locally stored locopy of user profile and when the ...
    (microsoft.public.windows.server.active_directory)