User Profile Access Denied on Certain Users

Archived from groups: microsoft.public.win2000.security (More info?)

I am running into a situation where I am getting a few users that have
roaming profiles, in which I can not access their home directory on the
server when they are logged in, or even after they log off the network.

Two things have happened that made me notice this.

1) I needed to remove a user profile from the network since I suspected that
it was corrupted. After the user logged of that night, I attempted to delete
the folder where their profile was stored. The server said Access Denied to
the Domain Admin. When I tried to look at the security, I was told I could
view the security or take ownership of the files. In order to finally remove
the user profile, I had to go to the domain server, take ownership of the
files, and finally I could delete the folder.

2) The second was that I needed to manually move a favorite from one user to
another, again, access denied.

What is causing this to suddenly happen?

How can I resolve this?

Thanks
Smurfman
6 answers Last reply
More about user profile access denied users
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    Profiles are often considered user private storage space.
    As such, you often will see them set into the ownership of
    the account whose profile they are, and with a grant of full
    control to that account only.

    Reading your post, I was saying to myself, yes, ok, you are
    describing how it is when the profile is account private.
    Are you seeing something wrong with this?

    There is a policy available in group policy that will make
    Administrators also have grants on the profiles.

    "Smurfman" <smurfman@news.postalias> wrote in message
    news:30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com...
    >I am running into a situation where I am getting a few users that have
    > roaming profiles, in which I can not access their home directory on the
    > server when they are logged in, or even after they log off the network.
    >
    > Two things have happened that made me notice this.
    >
    > 1) I needed to remove a user profile from the network since I suspected
    > that
    > it was corrupted. After the user logged of that night, I attempted to
    > delete
    > the folder where their profile was stored. The server said Access Denied
    > to
    > the Domain Admin. When I tried to look at the security, I was told I
    > could
    > view the security or take ownership of the files. In order to finally
    > remove
    > the user profile, I had to go to the domain server, take ownership of the
    > files, and finally I could delete the folder.
    >
    > 2) The second was that I needed to manually move a favorite from one user
    > to
    > another, again, access denied.
    >
    > What is causing this to suddenly happen?
    >
    > How can I resolve this?
    >
    > Thanks
    > Smurfman
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hello,

    Thank you for using newsgroup!

    From your post, in fact, some group policy objects are related to the
    roaming profile security setting. You may refer to the following
    configurations:

    Computer Configuration\Administrative Templates\System\User Profiles\Add
    the Administrators security group to roaming user profiles

    This setting adds the Administrator security group to the roaming user
    profile share. Once an administrator has configured a users' roaming
    profile, the profile will be created at the user's next login. The profile
    is created at the location that is specified by the administrator. For the
    Windows 2000 Professional and Windows XP Professional operating systems,
    the default file permissions for the newly generated profile are full
    control, or read and write access for the user, and no file access for the
    administrators group. By configuring this setting, you can alter this
    behavior. If you enable this setting, the administrator group is also
    given full control to the user's profile folder.

    Computer Configuration\Administrative Templates\System\User Profiles\Do not
    check for user ownership of Roaming Profile Folders

    This setting disables the more secure default setting for the user's
    roaming user profile folder. Once an administrator has configured a users'
    roaming profile, the profile will be created at the user's next login. The
    profile is created at the location that is specified by the administrator.
    For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
    systems, the default file permissions for the newly generated profile are
    full control access for the user and no file access for the administrators
    group. No checks are made for the correct permissions if the profile folder
    already exists. For Windows Server 2003 family, Windows 2000 Professional
    SP4 and Windows XP SP1, the default behavior is to check the folder for the
    correct permissions if the profile folder already exists, and not copy
    files to or from the roaming folder if the permissions are not correct. By
    configuring this setting, you can alter this behavior.

    For more information, please refer to the following article:

    Group Policy Recommendations for Roaming User Profiles: Group Policy
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>

    Security Recommendations for Roaming User Profiles Shared Folders: Group
    Policy
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>

    Hope the information helps!

    Thanks & Regards,

    Ken Zhao

    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    Newsgroup Web Interface Upgrade
    Please complete a one-time registration process on your first visit to the
    Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
    code mspp2005 when prompted. This secure code will be valid for 6 months
    after which you will need to update your registration by entering the new
    secure code. We will post announcements in the newsgroups prior to
    expiration. Once you have entered the secure code mspp2005 , you will be
    able to update your profile and access the the partner newsgroups. Please
    update your Favorites link to the newsgroups web page, your current link
    will redirect until November 1, 2005.
    Please post any comment, questions or concerns to the
    microsoft.private.directaccess.partnerfeedback newsgroup. For more
    information, please go to:
    https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
    4662


    --------------------
    | Thread-Topic: User Profile Access Denied on Certain Users
    | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
    | X-WBNR-Posting-Host: 209.217.222.70
    | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
    | Subject: User Profile Access Denied on Certain Users
    | Date: Thu, 15 Sep 2005 08:51:08 -0700
    | Lines: 23
    | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 7bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | Newsgroups: microsoft.public.win2000.security
    | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
    | X-Tomcat-NG: microsoft.public.win2000.security
    |
    | I am running into a situation where I am getting a few users that have
    | roaming profiles, in which I can not access their home directory on the
    | server when they are logged in, or even after they log off the network.
    |
    | Two things have happened that made me notice this.
    |
    | 1) I needed to remove a user profile from the network since I suspected
    that
    | it was corrupted. After the user logged of that night, I attempted to
    delete
    | the folder where their profile was stored. The server said Access Denied
    to
    | the Domain Admin. When I tried to look at the security, I was told I
    could
    | view the security or take ownership of the files. In order to finally
    remove
    | the user profile, I had to go to the domain server, take ownership of the
    | files, and finally I could delete the folder.
    |
    | 2) The second was that I needed to manually move a favorite from one user
    to
    | another, again, access denied.
    |
    | What is causing this to suddenly happen?
    |
    | How can I resolve this?
    |
    | Thanks
    | Smurfman
    |
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    What you guys are saying make perfect sense. BUT, recall that I said this
    only happens to a few users (all of whom are taking the same policies, with
    one exception that being I am pushing active desktop settings to two of the
    examples.)

    But note this as well, this happened last week.

    USER1 calls me, says they are having authentication problems getting out
    thru the ISA server...I posted this issue also...but in the past I have noted
    that something crazy has happened to their profile...not sure what.

    I have USER1 log off, I logon as ADMIN, delete the local profile, then
    attempt to delete the stored profile on the server.

    ACCESS DENIED.

    In turn, per my post, I have to take ownership of the files for USER1 as
    ADMIN, then I can delete the profile stored on the server.

    Now, USER1 logs back in, it creates a new profile, they logoff.

    AT THIS POINT, I AS THE ADMIN can access their profile no problem, no
    permissions issues.

    This is the part that I am having trouble with...?

    J

    "Ken Zhao [MSFT]" wrote:

    > Hello,
    >
    > Thank you for using newsgroup!
    >
    > From your post, in fact, some group policy objects are related to the
    > roaming profile security setting. You may refer to the following
    > configurations:
    >
    > Computer Configuration\Administrative Templates\System\User Profiles\Add
    > the Administrators security group to roaming user profiles
    >
    > This setting adds the Administrator security group to the roaming user
    > profile share. Once an administrator has configured a users' roaming
    > profile, the profile will be created at the user's next login. The profile
    > is created at the location that is specified by the administrator. For the
    > Windows 2000 Professional and Windows XP Professional operating systems,
    > the default file permissions for the newly generated profile are full
    > control, or read and write access for the user, and no file access for the
    > administrators group. By configuring this setting, you can alter this
    > behavior. If you enable this setting, the administrator group is also
    > given full control to the user's profile folder.
    >
    > Computer Configuration\Administrative Templates\System\User Profiles\Do not
    > check for user ownership of Roaming Profile Folders
    >
    > This setting disables the more secure default setting for the user's
    > roaming user profile folder. Once an administrator has configured a users'
    > roaming profile, the profile will be created at the user's next login. The
    > profile is created at the location that is specified by the administrator.
    > For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
    > systems, the default file permissions for the newly generated profile are
    > full control access for the user and no file access for the administrators
    > group. No checks are made for the correct permissions if the profile folder
    > already exists. For Windows Server 2003 family, Windows 2000 Professional
    > SP4 and Windows XP SP1, the default behavior is to check the folder for the
    > correct permissions if the profile folder already exists, and not copy
    > files to or from the roaming folder if the permissions are not correct. By
    > configuring this setting, you can alter this behavior.
    >
    > For more information, please refer to the following article:
    >
    > Group Policy Recommendations for Roaming User Profiles: Group Policy
    > <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    > it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
    >
    > Security Recommendations for Roaming User Profiles Shared Folders: Group
    > Policy
    > <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    > it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
    >
    > Hope the information helps!
    >
    > Thanks & Regards,
    >
    > Ken Zhao
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    > Newsgroup Web Interface Upgrade
    > Please complete a one-time registration process on your first visit to the
    > Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
    > code mspp2005 when prompted. This secure code will be valid for 6 months
    > after which you will need to update your registration by entering the new
    > secure code. We will post announcements in the newsgroups prior to
    > expiration. Once you have entered the secure code mspp2005 , you will be
    > able to update your profile and access the the partner newsgroups. Please
    > update your Favorites link to the newsgroups web page, your current link
    > will redirect until November 1, 2005.
    > Please post any comment, questions or concerns to the
    > microsoft.private.directaccess.partnerfeedback newsgroup. For more
    > information, please go to:
    > https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
    > 4662
    >
    >
    > --------------------
    > | Thread-Topic: User Profile Access Denied on Certain Users
    > | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
    > | X-WBNR-Posting-Host: 209.217.222.70
    > | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
    > | Subject: User Profile Access Denied on Certain Users
    > | Date: Thu, 15 Sep 2005 08:51:08 -0700
    > | Lines: 23
    > | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="Utf-8"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | Content-Class: urn:content-classes:message
    > | Importance: normal
    > | Priority: normal
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | Newsgroups: microsoft.public.win2000.security
    > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
    > | X-Tomcat-NG: microsoft.public.win2000.security
    > |
    > | I am running into a situation where I am getting a few users that have
    > | roaming profiles, in which I can not access their home directory on the
    > | server when they are logged in, or even after they log off the network.
    > |
    > | Two things have happened that made me notice this.
    > |
    > | 1) I needed to remove a user profile from the network since I suspected
    > that
    > | it was corrupted. After the user logged of that night, I attempted to
    > delete
    > | the folder where their profile was stored. The server said Access Denied
    > to
    > | the Domain Admin. When I tried to look at the security, I was told I
    > could
    > | view the security or take ownership of the files. In order to finally
    > remove
    > | the user profile, I had to go to the domain server, take ownership of the
    > | files, and finally I could delete the folder.
    > |
    > | 2) The second was that I needed to manually move a favorite from one user
    > to
    > | another, again, access denied.
    > |
    > | What is causing this to suddenly happen?
    > |
    > | How can I resolve this?
    > |
    > | Thanks
    > | Smurfman
    > |
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Okay, question in this regard. After my last post I went to last weeks
    USER1, tried to open the profile, and I get the access denied message...

    BUT, on USER2, whom I was denied access to this week, I can get into the
    profile.

    See I have never made a setting so that the admin did not have rights to the
    profiles, and I can't understand why some profiles I can get into (even for
    new users on XP machines created a month ago) and old users created years ago.

    I also can't understand why this behavior changes from user to user...?

    I will check the two settings you mentioned....but I have never made any
    changes to these...to enforce this kind of behavior. One of you mentioned
    that in Windows 2000 Pro and XP Pro this was the default behavior. - By
    default, are the profiles only locked when the user logs into the domain, or
    are they always locked? Even after the user logs out...

    J

    "Ken Zhao [MSFT]" wrote:

    > Hello,
    >
    > Thank you for using newsgroup!
    >
    > From your post, in fact, some group policy objects are related to the
    > roaming profile security setting. You may refer to the following
    > configurations:
    >
    > Computer Configuration\Administrative Templates\System\User Profiles\Add
    > the Administrators security group to roaming user profiles
    >
    > This setting adds the Administrator security group to the roaming user
    > profile share. Once an administrator has configured a users' roaming
    > profile, the profile will be created at the user's next login. The profile
    > is created at the location that is specified by the administrator. For the
    > Windows 2000 Professional and Windows XP Professional operating systems,
    > the default file permissions for the newly generated profile are full
    > control, or read and write access for the user, and no file access for the
    > administrators group. By configuring this setting, you can alter this
    > behavior. If you enable this setting, the administrator group is also
    > given full control to the user's profile folder.
    >
    > Computer Configuration\Administrative Templates\System\User Profiles\Do not
    > check for user ownership of Roaming Profile Folders
    >
    > This setting disables the more secure default setting for the user's
    > roaming user profile folder. Once an administrator has configured a users'
    > roaming profile, the profile will be created at the user's next login. The
    > profile is created at the location that is specified by the administrator.
    > For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
    > systems, the default file permissions for the newly generated profile are
    > full control access for the user and no file access for the administrators
    > group. No checks are made for the correct permissions if the profile folder
    > already exists. For Windows Server 2003 family, Windows 2000 Professional
    > SP4 and Windows XP SP1, the default behavior is to check the folder for the
    > correct permissions if the profile folder already exists, and not copy
    > files to or from the roaming folder if the permissions are not correct. By
    > configuring this setting, you can alter this behavior.
    >
    > For more information, please refer to the following article:
    >
    > Group Policy Recommendations for Roaming User Profiles: Group Policy
    > <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    > it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
    >
    > Security Recommendations for Roaming User Profiles Shared Folders: Group
    > Policy
    > <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    > it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
    >
    > Hope the information helps!
    >
    > Thanks & Regards,
    >
    > Ken Zhao
    >
    > Microsoft Online Partner Support
    > Get Secure! - www.microsoft.com/security
    >
    > =====================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    > Newsgroup Web Interface Upgrade
    > Please complete a one-time registration process on your first visit to the
    > Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
    > code mspp2005 when prompted. This secure code will be valid for 6 months
    > after which you will need to update your registration by entering the new
    > secure code. We will post announcements in the newsgroups prior to
    > expiration. Once you have entered the secure code mspp2005 , you will be
    > able to update your profile and access the the partner newsgroups. Please
    > update your Favorites link to the newsgroups web page, your current link
    > will redirect until November 1, 2005.
    > Please post any comment, questions or concerns to the
    > microsoft.private.directaccess.partnerfeedback newsgroup. For more
    > information, please go to:
    > https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
    > 4662
    >
    >
    > --------------------
    > | Thread-Topic: User Profile Access Denied on Certain Users
    > | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
    > | X-WBNR-Posting-Host: 209.217.222.70
    > | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
    > | Subject: User Profile Access Denied on Certain Users
    > | Date: Thu, 15 Sep 2005 08:51:08 -0700
    > | Lines: 23
    > | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
    > | MIME-Version: 1.0
    > | Content-Type: text/plain;
    > | charset="Utf-8"
    > | Content-Transfer-Encoding: 7bit
    > | X-Newsreader: Microsoft CDO for Windows 2000
    > | Content-Class: urn:content-classes:message
    > | Importance: normal
    > | Priority: normal
    > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    > | Newsgroups: microsoft.public.win2000.security
    > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
    > | X-Tomcat-NG: microsoft.public.win2000.security
    > |
    > | I am running into a situation where I am getting a few users that have
    > | roaming profiles, in which I can not access their home directory on the
    > | server when they are logged in, or even after they log off the network.
    > |
    > | Two things have happened that made me notice this.
    > |
    > | 1) I needed to remove a user profile from the network since I suspected
    > that
    > | it was corrupted. After the user logged of that night, I attempted to
    > delete
    > | the folder where their profile was stored. The server said Access Denied
    > to
    > | the Domain Admin. When I tried to look at the security, I was told I
    > could
    > | view the security or take ownership of the files. In order to finally
    > remove
    > | the user profile, I had to go to the domain server, take ownership of the
    > | files, and finally I could delete the folder.
    > |
    > | 2) The second was that I needed to manually move a favorite from one user
    > to
    > | another, again, access denied.
    > |
    > | What is causing this to suddenly happen?
    > |
    > | How can I resolve this?
    > |
    > | Thanks
    > | Smurfman
    > |
    >
    >
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    Notice that the permissions (ownership) of the profile are set when
    first used, and the default at time of install of the system was to have
    the profiles private. So, if later someone adjust the policies so that
    Administrators have a grant, but the account had been used before
    that time, they you would see the access denial. But, you also would
    see the new profile with grant to Administrators after you have done
    as you described, taking ownership and deleting (assuming the policy
    was adjusted to grant to Administrators).
    IOW you may be dealing with a historical artifact.
    --
    ra
    "Smurfman" <smurfman@news.postalias> wrote in message
    news:ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com...
    > Okay, question in this regard. After my last post I went to last weeks
    > USER1, tried to open the profile, and I get the access denied message...
    >
    > BUT, on USER2, whom I was denied access to this week, I can get into the
    > profile.
    >
    > See I have never made a setting so that the admin did not have rights to
    > the
    > profiles, and I can't understand why some profiles I can get into (even
    > for
    > new users on XP machines created a month ago) and old users created years
    > ago.
    >
    > I also can't understand why this behavior changes from user to user...?
    >
    > I will check the two settings you mentioned....but I have never made any
    > changes to these...to enforce this kind of behavior. One of you mentioned
    > that in Windows 2000 Pro and XP Pro this was the default behavior. - By
    > default, are the profiles only locked when the user logs into the domain,
    > or
    > are they always locked? Even after the user logs out...
    >
    > J
    >
    > "Ken Zhao [MSFT]" wrote:
    >
    >> Hello,
    >>
    >> Thank you for using newsgroup!
    >>
    >> From your post, in fact, some group policy objects are related to the
    >> roaming profile security setting. You may refer to the following
    >> configurations:
    >>
    >> Computer Configuration\Administrative Templates\System\User Profiles\Add
    >> the Administrators security group to roaming user profiles
    >>
    >> This setting adds the Administrator security group to the roaming user
    >> profile share. Once an administrator has configured a users' roaming
    >> profile, the profile will be created at the user's next login. The
    >> profile
    >> is created at the location that is specified by the administrator. For
    >> the
    >> Windows 2000 Professional and Windows XP Professional operating systems,
    >> the default file permissions for the newly generated profile are full
    >> control, or read and write access for the user, and no file access for
    >> the
    >> administrators group. By configuring this setting, you can alter this
    >> behavior. If you enable this setting, the administrator group is also
    >> given full control to the user's profile folder.
    >>
    >> Computer Configuration\Administrative Templates\System\User Profiles\Do
    >> not
    >> check for user ownership of Roaming Profile Folders
    >>
    >> This setting disables the more secure default setting for the user's
    >> roaming user profile folder. Once an administrator has configured a
    >> users'
    >> roaming profile, the profile will be created at the user's next login.
    >> The
    >> profile is created at the location that is specified by the
    >> administrator.
    >> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
    >> systems, the default file permissions for the newly generated profile are
    >> full control access for the user and no file access for the
    >> administrators
    >> group. No checks are made for the correct permissions if the profile
    >> folder
    >> already exists. For Windows Server 2003 family, Windows 2000 Professional
    >> SP4 and Windows XP SP1, the default behavior is to check the folder for
    >> the
    >> correct permissions if the profile folder already exists, and not copy
    >> files to or from the roaming folder if the permissions are not correct.
    >> By
    >> configuring this setting, you can alter this behavior.
    >>
    >> For more information, please refer to the following article:
    >>
    >> Group Policy Recommendations for Roaming User Profiles: Group Policy
    >> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    >> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
    >>
    >> Security Recommendations for Roaming User Profiles Shared Folders: Group
    >> Policy
    >> <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    >> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
    >>
    >> Hope the information helps!
    >>
    >> Thanks & Regards,
    >>
    >> Ken Zhao
    >>
    >> Microsoft Online Partner Support
    >> Get Secure! - www.microsoft.com/security
    >>
    >> =====================================================
    >> When responding to posts, please "Reply to Group" via your newsreader so
    >> that others may learn and benefit from your issue.
    >> =====================================================
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >>
    >> Newsgroup Web Interface Upgrade
    >> Please complete a one-time registration process on your first visit to
    >> the
    >> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
    >> secure
    >> code mspp2005 when prompted. This secure code will be valid for 6 months
    >> after which you will need to update your registration by entering the new
    >> secure code. We will post announcements in the newsgroups prior to
    >> expiration. Once you have entered the secure code mspp2005 , you will be
    >> able to update your profile and access the the partner newsgroups. Please
    >> update your Favorites link to the newsgroups web page, your current link
    >> will redirect until November 1, 2005.
    >> Please post any comment, questions or concerns to the
    >> microsoft.private.directaccess.partnerfeedback newsgroup. For more
    >> information, please go to:
    >> https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
    >> 4662
    >>
    >>
    >> --------------------
    >> | Thread-Topic: User Profile Access Denied on Certain Users
    >> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
    >> | X-WBNR-Posting-Host: 209.217.222.70
    >> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
    >> | Subject: User Profile Access Denied on Certain Users
    >> | Date: Thu, 15 Sep 2005 08:51:08 -0700
    >> | Lines: 23
    >> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
    >> | MIME-Version: 1.0
    >> | Content-Type: text/plain;
    >> | charset="Utf-8"
    >> | Content-Transfer-Encoding: 7bit
    >> | X-Newsreader: Microsoft CDO for Windows 2000
    >> | Content-Class: urn:content-classes:message
    >> | Importance: normal
    >> | Priority: normal
    >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    >> | Newsgroups: microsoft.public.win2000.security
    >> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    >> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    >> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
    >> | X-Tomcat-NG: microsoft.public.win2000.security
    >> |
    >> | I am running into a situation where I am getting a few users that have
    >> | roaming profiles, in which I can not access their home directory on the
    >> | server when they are logged in, or even after they log off the network.
    >> |
    >> | Two things have happened that made me notice this.
    >> |
    >> | 1) I needed to remove a user profile from the network since I suspected
    >> that
    >> | it was corrupted. After the user logged of that night, I attempted to
    >> delete
    >> | the folder where their profile was stored. The server said Access
    >> Denied
    >> to
    >> | the Domain Admin. When I tried to look at the security, I was told I
    >> could
    >> | view the security or take ownership of the files. In order to finally
    >> remove
    >> | the user profile, I had to go to the domain server, take ownership of
    >> the
    >> | files, and finally I could delete the folder.
    >> |
    >> | 2) The second was that I needed to manually move a favorite from one
    >> user
    >> to
    >> | another, again, access denied.
    >> |
    >> | What is causing this to suddenly happen?
    >> |
    >> | How can I resolve this?
    >> |
    >> | Thanks
    >> | Smurfman
    >> |
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Roger,

    Thanks for your notifications!

    Thanks & Regards,

    Ken Zhao

    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    Newsgroup Web Interface Upgrade
    Please complete a one-time registration process on your first visit to the
    Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
    code mspp2005 when prompted. This secure code will be valid for 6 months
    after which you will need to update your registration by entering the new
    secure code. We will post announcements in the newsgroups prior to
    expiration. Once you have entered the secure code mspp2005 , you will be
    able to update your profile and access the the partner newsgroups. Please
    update your Favorites link to the newsgroups web page, your current link
    will redirect until November 1, 2005.
    Please post any comment, questions or concerns to the
    microsoft.private.directaccess.partnerfeedback newsgroup. For more
    information, please go to:
    https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
    4662


    --------------------
    | From: "Roger Abell [MVP]" <mvpNoSpam@asu.edu>
    | References: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
    <o40PZiouFHA.1080@TK2MSFTNGXA01.phx.gbl>
    <ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com>
    | Subject: Re: User Profile Access Denied on Certain Users
    | Date: Fri, 16 Sep 2005 08:11:53 -0700
    | Lines: 197
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    | X-RFC2646: Format=Flowed; Original
    | Message-ID: <OtbK7DtuFHA.3256@TK2MSFTNGP09.phx.gbl>
    | Newsgroups: microsoft.public.win2000.security
    | NNTP-Posting-Host: ppp_149_169_167_96.inre.asu.edu 149.169.167.96
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15193
    | X-Tomcat-NG: microsoft.public.win2000.security
    |
    | Notice that the permissions (ownership) of the profile are set when
    | first used, and the default at time of install of the system was to have
    | the profiles private. So, if later someone adjust the policies so that
    | Administrators have a grant, but the account had been used before
    | that time, they you would see the access denial. But, you also would
    | see the new profile with grant to Administrators after you have done
    | as you described, taking ownership and deleting (assuming the policy
    | was adjusted to grant to Administrators).
    | IOW you may be dealing with a historical artifact.
    | --
    | ra
    | "Smurfman" <smurfman@news.postalias> wrote in message
    | news:ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com...
    | > Okay, question in this regard. After my last post I went to last weeks
    | > USER1, tried to open the profile, and I get the access denied message...
    | >
    | > BUT, on USER2, whom I was denied access to this week, I can get into the
    | > profile.
    | >
    | > See I have never made a setting so that the admin did not have rights
    to
    | > the
    | > profiles, and I can't understand why some profiles I can get into (even
    | > for
    | > new users on XP machines created a month ago) and old users created
    years
    | > ago.
    | >
    | > I also can't understand why this behavior changes from user to user...?
    | >
    | > I will check the two settings you mentioned....but I have never made any
    | > changes to these...to enforce this kind of behavior. One of you
    mentioned
    | > that in Windows 2000 Pro and XP Pro this was the default behavior. - By
    | > default, are the profiles only locked when the user logs into the
    domain,
    | > or
    | > are they always locked? Even after the user logs out...
    | >
    | > J
    | >
    | > "Ken Zhao [MSFT]" wrote:
    | >
    | >> Hello,
    | >>
    | >> Thank you for using newsgroup!
    | >>
    | >> From your post, in fact, some group policy objects are related to the
    | >> roaming profile security setting. You may refer to the following
    | >> configurations:
    | >>
    | >> Computer Configuration\Administrative Templates\System\User
    Profiles\Add
    | >> the Administrators security group to roaming user profiles
    | >>
    | >> This setting adds the Administrator security group to the roaming user
    | >> profile share. Once an administrator has configured a users' roaming
    | >> profile, the profile will be created at the user's next login. The
    | >> profile
    | >> is created at the location that is specified by the administrator.
    For
    | >> the
    | >> Windows 2000 Professional and Windows XP Professional operating
    systems,
    | >> the default file permissions for the newly generated profile are full
    | >> control, or read and write access for the user, and no file access for
    | >> the
    | >> administrators group. By configuring this setting, you can alter this
    | >> behavior. If you enable this setting, the administrator group is also
    | >> given full control to the user's profile folder.
    | >>
    | >> Computer Configuration\Administrative Templates\System\User
    Profiles\Do
    | >> not
    | >> check for user ownership of Roaming Profile Folders
    | >>
    | >> This setting disables the more secure default setting for the user's
    | >> roaming user profile folder. Once an administrator has configured a
    | >> users'
    | >> roaming profile, the profile will be created at the user's next login.
    | >> The
    | >> profile is created at the location that is specified by the
    | >> administrator.
    | >> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
    | >> systems, the default file permissions for the newly generated profile
    are
    | >> full control access for the user and no file access for the
    | >> administrators
    | >> group. No checks are made for the correct permissions if the profile
    | >> folder
    | >> already exists. For Windows Server 2003 family, Windows 2000
    Professional
    | >> SP4 and Windows XP SP1, the default behavior is to check the folder
    for
    | >> the
    | >> correct permissions if the profile folder already exists, and not copy
    | >> files to or from the roaming folder if the permissions are not
    correct.
    | >> By
    | >> configuring this setting, you can alter this behavior.
    | >>
    | >> For more information, please refer to the following article:
    | >>
    | >> Group Policy Recommendations for Roaming User Profiles: Group Policy
    | >>
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    | >> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
    | >>
    | >> Security Recommendations for Roaming User Profiles Shared Folders:
    Group
    | >> Policy
    | >>
    <http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
    | >> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
    | >>
    | >> Hope the information helps!
    | >>
    | >> Thanks & Regards,
    | >>
    | >> Ken Zhao
    | >>
    | >> Microsoft Online Partner Support
    | >> Get Secure! - www.microsoft.com/security
    | >>
    | >> =====================================================
    | >> When responding to posts, please "Reply to Group" via your newsreader
    so
    | >> that others may learn and benefit from your issue.
    | >> =====================================================
    | >> This posting is provided "AS IS" with no warranties, and confers no
    | >> rights.
    | >>
    | >>
    | >> Newsgroup Web Interface Upgrade
    | >> Please complete a one-time registration process on your first visit to
    | >> the
    | >> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
    | >> secure
    | >> code mspp2005 when prompted. This secure code will be valid for 6
    months
    | >> after which you will need to update your registration by entering the
    new
    | >> secure code. We will post announcements in the newsgroups prior to
    | >> expiration. Once you have entered the secure code mspp2005 , you will
    be
    | >> able to update your profile and access the the partner newsgroups.
    Please
    | >> update your Favorites link to the newsgroups web page, your current
    link
    | >> will redirect until November 1, 2005.
    | >> Please post any comment, questions or concerns to the
    | >> microsoft.private.directaccess.partnerfeedback newsgroup. For more
    | >> information, please go to:
    | >>
    https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
    | >> 4662
    | >>
    | >>
    | >> --------------------
    | >> | Thread-Topic: User Profile Access Denied on Certain Users
    | >> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
    | >> | X-WBNR-Posting-Host: 209.217.222.70
    | >> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
    | >> | Subject: User Profile Access Denied on Certain Users
    | >> | Date: Thu, 15 Sep 2005 08:51:08 -0700
    | >> | Lines: 23
    | >> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
    | >> | MIME-Version: 1.0
    | >> | Content-Type: text/plain;
    | >> | charset="Utf-8"
    | >> | Content-Transfer-Encoding: 7bit
    | >> | X-Newsreader: Microsoft CDO for Windows 2000
    | >> | Content-Class: urn:content-classes:message
    | >> | Importance: normal
    | >> | Priority: normal
    | >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
    | >> | Newsgroups: microsoft.public.win2000.security
    | >> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
    | >> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
    | >> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
    | >> | X-Tomcat-NG: microsoft.public.win2000.security
    | >> |
    | >> | I am running into a situation where I am getting a few users that
    have
    | >> | roaming profiles, in which I can not access their home directory on
    the
    | >> | server when they are logged in, or even after they log off the
    network.
    | >> |
    | >> | Two things have happened that made me notice this.
    | >> |
    | >> | 1) I needed to remove a user profile from the network since I
    suspected
    | >> that
    | >> | it was corrupted. After the user logged of that night, I attempted
    to
    | >> delete
    | >> | the folder where their profile was stored. The server said Access
    | >> Denied
    | >> to
    | >> | the Domain Admin. When I tried to look at the security, I was told I
    | >> could
    | >> | view the security or take ownership of the files. In order to
    finally
    | >> remove
    | >> | the user profile, I had to go to the domain server, take ownership
    of
    | >> the
    | >> | files, and finally I could delete the folder.
    | >> |
    | >> | 2) The second was that I needed to manually move a favorite from one
    | >> user
    | >> to
    | >> | another, again, access denied.
    | >> |
    | >> | What is causing this to suddenly happen?
    | >> |
    | >> | How can I resolve this?
    | >> |
    | >> | Thanks
    | >> | Smurfman
    | >> |
    | >>
    | >>
    |
    |
    |
Ask a new question

Read More

Security Servers Windows