Re: ROAMING LOGIN

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 09/30/04 

Date: Thu, 30 Sep 2004 15:06:34 -0400

marie price wrote:
> my domain is wrps
>
> user is from another network called gps, he has roaming
> profile (have no idea what his gps privs are, but I
> suspect he has admin privs)
>
> he was not setup as administrator to wrps local pcs,
> unless he was able to do it himself.

Check the membership of the local admin groups. Domain admins are members by
default - who else is?
>
> I just want to make sure that his gps admin role does not
> allow him to install software on the wrps pc.

It will. If the local admins group contains the domain admins group (or
another group of which he is ultimately a member, via the trust), he has
local admin rights.

>
> and I don't understand why the roaming profile, created a
> bunch of file on the wrps pc. after he logs off, the
> files remains.

> i.e. c:\documents and settings\gpsuser\.........
>
> he is logging on all over the place, and leaving megs
> worth of files.
>
> thanks

You'd see this even if he didn't have a roaming profile - and you probably
see similar folders for your "local" domain users' logins, as well. You can
disable the caching of domain profiles via group policy, but this will apply
to all users by default...AFAIK.

>
>
>
>
>
>> -----Original Message-----
>> Marie Price wrote:
>>> what I have is 2 separate network. they can talk via a
>>> trust connection.
>>>
>>> domain wrps is the main domain.
>>> domain gps users are logging in with roaming profile.
>>>
>>> the problem I see is that some of these users have admin
>>> privileges in their network.
>>
>> What domain groups are they members of?
>>
>>> when they sign in their
>>> profile leaves behind a bunch of files in the documents
>>> and settings on the pc they logged on.
>>>
>>> my question is, if they log in using roaming profiles, can
>>> they use their administrative privileges to install
>>> software on the pc they have just logged into?
>>
>> If they effectively get local admin rights, they can do pretty much
>> whatever they wish. The profile isn't really relevant.
>>>
>>> thanks
>>
>>
>> .

Relevant Pages

  • Re: ROAMING LOGIN
    ... >> he was not setup as administrator to wrps local pcs, ... >Check the membership of the local admin groups. ... If the local admins group contains the domain ... >> and I don't understand why the roaming profile, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Vista - User Profile Service
    ... profile state change. ... The blocked account is status "3278" ... Apparently when joining a domain the local admin account is disabled by ... RoyS could logon prior to 2 days ago. ...
    (microsoft.public.windows.server.sbs)
  • Re: Unable to delete local user profile in win2K server...
    ... I've had this problem many times on client computers and the best way has been to reboot, log on locally as local admin and then delete it. ... have been configuring all our TS users to use a roaming profile - and once I ...
    (microsoft.public.windows.terminal_services)
  • Re: Unable to delete local user profile in win2K server...
    ... I've had this problem many times on client computers and the best way has been to reboot, log on locally as local admin and then delete it. ... have been configuring all our TS users to use a roaming profile - and once I ...
    (microsoft.public.backoffice.smallbiz2000)
  • Migrated account needs admin access
    ... I recently migrated some XP SP3 PCs from a workgroup to a 2003 domain. ... logging in to each PC with the newly created domain user account, ... profile over the new domain profile on each PC. ... These users did not have local admin rights on the PCs before migrating nor ...
    (microsoft.public.windowsxp.general)