Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Hi Paul,
Thanks for your help. I should have explained myself further. Basically I
have a PC which is connected to the 1st server, which is a domain controller.
The user which logs on to this machine is a member of the Domain Users group
and is a LOCAL Power User on the local machine, ie. In the Power Users group
in Computer Management - Local Users and Groups - Groups - Power Users, I
have: DOMAIN\Power Users.
Normally, I would have Domain Users in the local Administrators group, but
due to needing users to be restricted in their rights on the local machine,
we cannot allow that.
I have 2 servers, both Domain Controllers, with different domain names, lets
call them test1.com and test2.com. The NETBIOS name is 'DOMAIN' for both.
They are basically identical in hardware and OS specifications.
The problem that I'm getting is that when I'm migrating from the 1st Server
to the 2nd Server and the PC has Domain Users as Local Power Users only and
not Local Administrators, when I do the process of disjoining from the 1st
Server and joining to the second server, the profile is not displayed
properly after being migrated across.
The process that is done when copying the user profiles across is:
- Join to Server 1 domain
- Set Domain Users as Local Power Users
- Log on to Server 1 as the User
- Change profile settings
- Log off
- Log into machine as Local Administrator
- Disjoin from Server 1 domain
- Log into machine as Local Administrator again
- Join Server 2 domain
- Log into Server 2 domain as Domain Administrator
- Set all Domain Users as Local Power Users
- Copy all profiles from C:\Documents and Settings to C:\Profiles.bak
(Except All Users, Default Users, Administrator)
- Delete all profiles from C:\Documents and Settings to C:\Profiles.bak
(Except All Users, Default Users, Administrator)
- Log off and Log into the domain as the User
- Log off and Log into the domain as Administrator
- Delete *new profile from C:\Documents and Settings
- Copy User's old profile from C:\Profiles.bak to C:\Documents and Settings
and rename to the deleted *new profile name
- Re-apply appropriate permissions to the profile folders
- Reset Security permission on all child objects
- Log off and log back on as the User on to the domain
* This is where the profile should look correct - however this seems to only
be the case when Domain Users are set as Local Administrators and not Power
Users.
I believe if you are able to try to replicate this, you will get the same
results. If you have any questions or suggestions, your reply would be much
appreciated.
Regards,
Jesse
"ptwilliams" wrote:
> You can't have local users on a DC. Nor can you a have non-local power
> users group.
>
> I assume that these machines are *not* domain controllers, and that you are
> logging onto a member server either as a local power user or as a domain
> user that is a member of the local power users group.
>
> If the former, the account on another machine is separate and will therefore
> have a different profile. If the latter, and you've disjoined this machine
> from the domain and added it to another domain, and are using a user account
> with the same name, then there are now two profiles in documents and
> settings - username and username.domain-name. If you want the old settings,
> you can copy the profile into the new profile. You can do this either using
> Windows explorer or the profiles tab of the system applet. Either way, you
> need to be logged on as a different user and need to change the permissions
> on the folder structure.
>
> If this isn't what you want, then I've misunderstood. Please elaborate on
> what the problem is.
>
> Just remember that all users on a DC are domain-wide -there are no local
> accounts. If you're having difficulty with these concepts, then try and
> explain how the environment is setup and we will help...
>
>
> --
>
> Paul Williams
>
> http://www.msresource.net/
> http://forums.msresource.net/
>
> "Jesse O'Brien bNC" <Jesse O'Brien bNC@discussions.microsoft.com> wrote in
> message news:8E0F7E1E-EA69-4F7B-A848-67E2D557F02E@microsoft.com...
> Hi,
>
> I am using a Win2K Server, Domain Controller with AD and i'm migrating users
> from that server to another Win2K Server, DC with AD. The issue i'm getting
> is that when the users are local Power Users only and not local
> Administrators, once I disjoin from Server 1 domain and join to the domain
> on
> Server 2, the profile (Local Profile) settings will not be kept on that
> local
> machine, ie. background, theme, icons, etc.
>
> * I have tried changing a user to a Local Administrator before and after
> disjoining and joining from the servers.
>
> * The account is duplicate in AD on both servers - just a domain user.
>
> * I believe it may be some sort of security setting that could be hindering
> this regarding local Power Users as it works fine when the users are local
> Administrators.
>
> Any suggestions would be greatly appreciated,
>
> Jesse O'Brien - bNC
> Systems Engineer - Tier II
> Pronet Technology
>
>
>
Facebook
Twitter
Instagram