Roaming Profile on W2K3 and XP Pro

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi all,
I installed a new W2K3 Server and XP clients and all was working fine till
my server crashed. After re-installing it, I restored all the
data,re-created all the users and re-added all the clients to the domain.
The domain name and file path was put back to exactly the way it was before
the crash however, users were able to login but could not open Outlook 2003
which uses Exchange 2003 plus, they couldn't save anything to any drive -
mapped or local. To avoid this scenario, I had to create local usernames
with Administrative previledges on their local machines then they were able
to do all they should do in a domain environment. I prefer using roaming
profiles but right now, it doesn't seem to work. If a user is to log into
another machine, I would have to create a local username with Administrative
previledges. They were Also restricted from accessing some of their created
files on their Network Home directories and with this, I had to take
ownership as the Administrator, then add them for access. This is my first
time working with W2K3 and XP as a domain/client environment and I suppose
it's a question of security but I don't where to look anymore. Now none of
my users have a roaming profile even though it says so plus all of them have
administrative rights locally which I'm not confortable with. Can someone
help please? Very sorry for length-just wanted to cover all in a nutshell.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

What you should have done when the server crashed was do a full restore from
backup, from a backup prior to what caused the server to crash. Now, all
your domain profiles are invalid, as they are no longer installed on the
same server (as far as the domain is concerned), as when you reinstalled
Win2k3, the server was assigned a new SID different from what it was before.
Since part of the domain profiles (roaming or otherwise) are looking for
that SID they can no longer find it. This would also be why the logins
could not access the files on the local PC's, as when you rejoined the PCs
to the domain, again, a different SID and different domain profile, so they
too get a new SID. The SID is that S-xxxx number you see next to a security
token/object - each user, system, etc on the domain has one of these unique
numbers. That's also what breaks file encryption when people have encrypted
files located somewhere other than their windows system, the windows system
hoses up for some reason, they've not designated a recovery agent, and they
format/reinstall the drive with windows. The security certificate to
decrypt the files uses the SID of the userid or recovery agent ID to verify
if it is authorized to decrypt the file, if no match, no decrypt. Now if
you have the original profiles that encrypted them certs, then they can be
imported to allow decryption.
Bottom line, the SID plays a very important role in MS security, whether
encryption, domain security, trusts etc..

--

Star Fleet Admiral Q @ your Service!

http://www.google.com
Google is your "Friend"

"RTF_007" <RTF_007@discussions.microsoft.com> wrote in message
news:1D501709-300F-458B-B64C-C47577F1882E@microsoft.com...
> Hi all,
> I installed a new W2K3 Server and XP clients and all was working fine till
> my server crashed. After re-installing it, I restored all the
> data,re-created all the users and re-added all the clients to the domain.
> The domain name and file path was put back to exactly the way it was
> before
> the crash however, users were able to login but could not open Outlook
> 2003
> which uses Exchange 2003 plus, they couldn't save anything to any drive -
> mapped or local. To avoid this scenario, I had to create local usernames
> with Administrative previledges on their local machines then they were
> able
> to do all they should do in a domain environment. I prefer using roaming
> profiles but right now, it doesn't seem to work. If a user is to log into
> another machine, I would have to create a local username with
> Administrative
> previledges. They were Also restricted from accessing some of their
> created
> files on their Network Home directories and with this, I had to take
> ownership as the Administrator, then add them for access. This is my
> first
> time working with W2K3 and XP as a domain/client environment and I suppose
> it's a question of security but I don't where to look anymore. Now none
> of
> my users have a roaming profile even though it says so plus all of them
> have
> administrative rights locally which I'm not confortable with. Can someone
> help please? Very sorry for length-just wanted to cover all in a
> nutshell.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

thanks Star Fleet Admiral Q. Does this mean that I can't change anything on
this setup? The users have changed alot on their profiles since they've been
using them for a while now. Is there something I can change on either the
server or client? Coz I can't change their usernames.

"Star Fleet Admiral Q" wrote:

> What you should have done when the server crashed was do a full restore from
> backup, from a backup prior to what caused the server to crash. Now, all
> your domain profiles are invalid, as they are no longer installed on the
> same server (as far as the domain is concerned), as when you reinstalled
> Win2k3, the server was assigned a new SID different from what it was before.
> Since part of the domain profiles (roaming or otherwise) are looking for
> that SID they can no longer find it. This would also be why the logins
> could not access the files on the local PC's, as when you rejoined the PCs
> to the domain, again, a different SID and different domain profile, so they
> too get a new SID. The SID is that S-xxxx number you see next to a security
> token/object - each user, system, etc on the domain has one of these unique
> numbers. That's also what breaks file encryption when people have encrypted
> files located somewhere other than their windows system, the windows system
> hoses up for some reason, they've not designated a recovery agent, and they
> format/reinstall the drive with windows. The security certificate to
> decrypt the files uses the SID of the userid or recovery agent ID to verify
> if it is authorized to decrypt the file, if no match, no decrypt. Now if
> you have the original profiles that encrypted them certs, then they can be
> imported to allow decryption.
> Bottom line, the SID plays a very important role in MS security, whether
> encryption, domain security, trusts etc..
>
> --
>
> Star Fleet Admiral Q @ your Service!
>
> http://www.google.com
> Google is your "Friend"
>
> "RTF_007" <RTF_007@discussions.microsoft.com> wrote in message
> news:1D501709-300F-458B-B64C-C47577F1882E@microsoft.com...
> > Hi all,
> > I installed a new W2K3 Server and XP clients and all was working fine till
> > my server crashed. After re-installing it, I restored all the
> > data,re-created all the users and re-added all the clients to the domain.
> > The domain name and file path was put back to exactly the way it was
> > before
> > the crash however, users were able to login but could not open Outlook
> > 2003
> > which uses Exchange 2003 plus, they couldn't save anything to any drive -
> > mapped or local. To avoid this scenario, I had to create local usernames
> > with Administrative previledges on their local machines then they were
> > able
> > to do all they should do in a domain environment. I prefer using roaming
> > profiles but right now, it doesn't seem to work. If a user is to log into
> > another machine, I would have to create a local username with
> > Administrative
> > previledges. They were Also restricted from accessing some of their
> > created
> > files on their Network Home directories and with this, I had to take
> > ownership as the Administrator, then add them for access. This is my
> > first
> > time working with W2K3 and XP as a domain/client environment and I suppose
> > it's a question of security but I don't where to look anymore. Now none
> > of
> > my users have a roaming profile even though it says so plus all of them
> > have
> > administrative rights locally which I'm not confortable with. Can someone
> > help please? Very sorry for length-just wanted to cover all in a
> > nutshell.
>
>
>