Sign in with
Sign up | Sign in
Your question

User Profile Access Denied on Certain Users

Tags:
  • Security
  • Servers
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
September 15, 2005 12:51:08 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am running into a situation where I am getting a few users that have
roaming profiles, in which I can not access their home directory on the
server when they are logged in, or even after they log off the network.

Two things have happened that made me notice this.

1) I needed to remove a user profile from the network since I suspected that
it was corrupted. After the user logged of that night, I attempted to delete
the folder where their profile was stored. The server said Access Denied to
the Domain Admin. When I tried to look at the security, I was told I could
view the security or take ownership of the files. In order to finally remove
the user profile, I had to go to the domain server, take ownership of the
files, and finally I could delete the folder.

2) The second was that I needed to manually move a favorite from one user to
another, again, access denied.

What is causing this to suddenly happen?

How can I resolve this?

Thanks
Smurfman

More about : user profile access denied users

Anonymous
a b 8 Security
September 15, 2005 10:16:31 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Profiles are often considered user private storage space.
As such, you often will see them set into the ownership of
the account whose profile they are, and with a grant of full
control to that account only.

Reading your post, I was saying to myself, yes, ok, you are
describing how it is when the profile is account private.
Are you seeing something wrong with this?

There is a policy available in group policy that will make
Administrators also have grants on the profiles.

"Smurfman" <smurfman@news.postalias> wrote in message
news:30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com...
>I am running into a situation where I am getting a few users that have
> roaming profiles, in which I can not access their home directory on the
> server when they are logged in, or even after they log off the network.
>
> Two things have happened that made me notice this.
>
> 1) I needed to remove a user profile from the network since I suspected
> that
> it was corrupted. After the user logged of that night, I attempted to
> delete
> the folder where their profile was stored. The server said Access Denied
> to
> the Domain Admin. When I tried to look at the security, I was told I
> could
> view the security or take ownership of the files. In order to finally
> remove
> the user profile, I had to go to the domain server, take ownership of the
> files, and finally I could delete the folder.
>
> 2) The second was that I needed to manually move a favorite from one user
> to
> another, again, access denied.
>
> What is causing this to suddenly happen?
>
> How can I resolve this?
>
> Thanks
> Smurfman
Anonymous
a b 8 Security
September 16, 2005 10:33:41 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

Thank you for using newsgroup!

From your post, in fact, some group policy objects are related to the
roaming profile security setting. You may refer to the following
configurations:

Computer Configuration\Administrative Templates\System\User Profiles\Add
the Administrators security group to roaming user profiles

This setting adds the Administrator security group to the roaming user
profile share. Once an administrator has configured a users' roaming
profile, the profile will be created at the user's next login. The profile
is created at the location that is specified by the administrator. For the
Windows 2000 Professional and Windows XP Professional operating systems,
the default file permissions for the newly generated profile are full
control, or read and write access for the user, and no file access for the
administrators group. By configuring this setting, you can alter this
behavior. If you enable this setting, the administrator group is also
given full control to the user's profile folder.

Computer Configuration\Administrative Templates\System\User Profiles\Do not
check for user ownership of Roaming Profile Folders

This setting disables the more secure default setting for the user's
roaming user profile folder. Once an administrator has configured a users'
roaming profile, the profile will be created at the user's next login. The
profile is created at the location that is specified by the administrator.
For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
systems, the default file permissions for the newly generated profile are
full control access for the user and no file access for the administrators
group. No checks are made for the correct permissions if the profile folder
already exists. For Windows Server 2003 family, Windows 2000 Professional
SP4 and Windows XP SP1, the default behavior is to check the folder for the
correct permissions if the profile folder already exists, and not copy
files to or from the roaming folder if the permissions are not correct. By
configuring this setting, you can alter this behavior.

For more information, please refer to the following article:

Group Policy Recommendations for Roaming User Profiles: Group Policy
<http://www.microsoft.com/technet/prodtechnol/windowsser...
it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>

Security Recommendations for Roaming User Profiles Shared Folders: Group
Policy
<http://www.microsoft.com/technet/prodtechnol/windowsser...
it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>

Hope the information helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/r...
4662


--------------------
| Thread-Topic: User Profile Access Denied on Certain Users
| thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
| X-WBNR-Posting-Host: 209.217.222.70
| From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
| Subject: User Profile Access Denied on Certain Users
| Date: Thu, 15 Sep 2005 08:51:08 -0700
| Lines: 23
| Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I am running into a situation where I am getting a few users that have
| roaming profiles, in which I can not access their home directory on the
| server when they are logged in, or even after they log off the network.
|
| Two things have happened that made me notice this.
|
| 1) I needed to remove a user profile from the network since I suspected
that
| it was corrupted. After the user logged of that night, I attempted to
delete
| the folder where their profile was stored. The server said Access Denied
to
| the Domain Admin. When I tried to look at the security, I was told I
could
| view the security or take ownership of the files. In order to finally
remove
| the user profile, I had to go to the domain server, take ownership of the
| files, and finally I could delete the folder.
|
| 2) The second was that I needed to manually move a favorite from one user
to
| another, again, access denied.
|
| What is causing this to suddenly happen?
|
| How can I resolve this?
|
| Thanks
| Smurfman
|
Related resources
Anonymous
a b 8 Security
September 16, 2005 10:33:42 AM

Archived from groups: microsoft.public.win2000.security (More info?)

What you guys are saying make perfect sense. BUT, recall that I said this
only happens to a few users (all of whom are taking the same policies, with
one exception that being I am pushing active desktop settings to two of the
examples.)

But note this as well, this happened last week.

USER1 calls me, says they are having authentication problems getting out
thru the ISA server...I posted this issue also...but in the past I have noted
that something crazy has happened to their profile...not sure what.

I have USER1 log off, I logon as ADMIN, delete the local profile, then
attempt to delete the stored profile on the server.

ACCESS DENIED.

In turn, per my post, I have to take ownership of the files for USER1 as
ADMIN, then I can delete the profile stored on the server.

Now, USER1 logs back in, it creates a new profile, they logoff.

AT THIS POINT, I AS THE ADMIN can access their profile no problem, no
permissions issues.

This is the part that I am having trouble with...?

J

"Ken Zhao [MSFT]" wrote:

> Hello,
>
> Thank you for using newsgroup!
>
> From your post, in fact, some group policy objects are related to the
> roaming profile security setting. You may refer to the following
> configurations:
>
> Computer Configuration\Administrative Templates\System\User Profiles\Add
> the Administrators security group to roaming user profiles
>
> This setting adds the Administrator security group to the roaming user
> profile share. Once an administrator has configured a users' roaming
> profile, the profile will be created at the user's next login. The profile
> is created at the location that is specified by the administrator. For the
> Windows 2000 Professional and Windows XP Professional operating systems,
> the default file permissions for the newly generated profile are full
> control, or read and write access for the user, and no file access for the
> administrators group. By configuring this setting, you can alter this
> behavior. If you enable this setting, the administrator group is also
> given full control to the user's profile folder.
>
> Computer Configuration\Administrative Templates\System\User Profiles\Do not
> check for user ownership of Roaming Profile Folders
>
> This setting disables the more secure default setting for the user's
> roaming user profile folder. Once an administrator has configured a users'
> roaming profile, the profile will be created at the user's next login. The
> profile is created at the location that is specified by the administrator.
> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
> systems, the default file permissions for the newly generated profile are
> full control access for the user and no file access for the administrators
> group. No checks are made for the correct permissions if the profile folder
> already exists. For Windows Server 2003 family, Windows 2000 Professional
> SP4 and Windows XP SP1, the default behavior is to check the folder for the
> correct permissions if the profile folder already exists, and not copy
> files to or from the roaming folder if the permissions are not correct. By
> configuring this setting, you can alter this behavior.
>
> For more information, please refer to the following article:
>
> Group Policy Recommendations for Roaming User Profiles: Group Policy
> <http://www.microsoft.com/technet/prodtechnol/windowsser...
> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
>
> Security Recommendations for Roaming User Profiles Shared Folders: Group
> Policy
> <http://www.microsoft.com/technet/prodtechnol/windowsser...
> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
>
> Hope the information helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Newsgroup Web Interface Upgrade
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
> https://partner.microsoft.com/global/technicalsupport/r...
> 4662
>
>
> --------------------
> | Thread-Topic: User Profile Access Denied on Certain Users
> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
> | X-WBNR-Posting-Host: 209.217.222.70
> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
> | Subject: User Profile Access Denied on Certain Users
> | Date: Thu, 15 Sep 2005 08:51:08 -0700
> | Lines: 23
> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.win2000.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
> | X-Tomcat-NG: microsoft.public.win2000.security
> |
> | I am running into a situation where I am getting a few users that have
> | roaming profiles, in which I can not access their home directory on the
> | server when they are logged in, or even after they log off the network.
> |
> | Two things have happened that made me notice this.
> |
> | 1) I needed to remove a user profile from the network since I suspected
> that
> | it was corrupted. After the user logged of that night, I attempted to
> delete
> | the folder where their profile was stored. The server said Access Denied
> to
> | the Domain Admin. When I tried to look at the security, I was told I
> could
> | view the security or take ownership of the files. In order to finally
> remove
> | the user profile, I had to go to the domain server, take ownership of the
> | files, and finally I could delete the folder.
> |
> | 2) The second was that I needed to manually move a favorite from one user
> to
> | another, again, access denied.
> |
> | What is causing this to suddenly happen?
> |
> | How can I resolve this?
> |
> | Thanks
> | Smurfman
> |
>
>
Anonymous
a b 8 Security
September 16, 2005 10:33:42 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Okay, question in this regard. After my last post I went to last weeks
USER1, tried to open the profile, and I get the access denied message...

BUT, on USER2, whom I was denied access to this week, I can get into the
profile.

See I have never made a setting so that the admin did not have rights to the
profiles, and I can't understand why some profiles I can get into (even for
new users on XP machines created a month ago) and old users created years ago.

I also can't understand why this behavior changes from user to user...?

I will check the two settings you mentioned....but I have never made any
changes to these...to enforce this kind of behavior. One of you mentioned
that in Windows 2000 Pro and XP Pro this was the default behavior. - By
default, are the profiles only locked when the user logs into the domain, or
are they always locked? Even after the user logs out...

J

"Ken Zhao [MSFT]" wrote:

> Hello,
>
> Thank you for using newsgroup!
>
> From your post, in fact, some group policy objects are related to the
> roaming profile security setting. You may refer to the following
> configurations:
>
> Computer Configuration\Administrative Templates\System\User Profiles\Add
> the Administrators security group to roaming user profiles
>
> This setting adds the Administrator security group to the roaming user
> profile share. Once an administrator has configured a users' roaming
> profile, the profile will be created at the user's next login. The profile
> is created at the location that is specified by the administrator. For the
> Windows 2000 Professional and Windows XP Professional operating systems,
> the default file permissions for the newly generated profile are full
> control, or read and write access for the user, and no file access for the
> administrators group. By configuring this setting, you can alter this
> behavior. If you enable this setting, the administrator group is also
> given full control to the user's profile folder.
>
> Computer Configuration\Administrative Templates\System\User Profiles\Do not
> check for user ownership of Roaming Profile Folders
>
> This setting disables the more secure default setting for the user's
> roaming user profile folder. Once an administrator has configured a users'
> roaming profile, the profile will be created at the user's next login. The
> profile is created at the location that is specified by the administrator.
> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
> systems, the default file permissions for the newly generated profile are
> full control access for the user and no file access for the administrators
> group. No checks are made for the correct permissions if the profile folder
> already exists. For Windows Server 2003 family, Windows 2000 Professional
> SP4 and Windows XP SP1, the default behavior is to check the folder for the
> correct permissions if the profile folder already exists, and not copy
> files to or from the roaming folder if the permissions are not correct. By
> configuring this setting, you can alter this behavior.
>
> For more information, please refer to the following article:
>
> Group Policy Recommendations for Roaming User Profiles: Group Policy
> <http://www.microsoft.com/technet/prodtechnol/windowsser...
> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
>
> Security Recommendations for Roaming User Profiles Shared Folders: Group
> Policy
> <http://www.microsoft.com/technet/prodtechnol/windowsser...
> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
>
> Hope the information helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> Newsgroup Web Interface Upgrade
> Please complete a one-time registration process on your first visit to the
> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
> code mspp2005 when prompted. This secure code will be valid for 6 months
> after which you will need to update your registration by entering the new
> secure code. We will post announcements in the newsgroups prior to
> expiration. Once you have entered the secure code mspp2005 , you will be
> able to update your profile and access the the partner newsgroups. Please
> update your Favorites link to the newsgroups web page, your current link
> will redirect until November 1, 2005.
> Please post any comment, questions or concerns to the
> microsoft.private.directaccess.partnerfeedback newsgroup. For more
> information, please go to:
> https://partner.microsoft.com/global/technicalsupport/r...
> 4662
>
>
> --------------------
> | Thread-Topic: User Profile Access Denied on Certain Users
> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
> | X-WBNR-Posting-Host: 209.217.222.70
> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
> | Subject: User Profile Access Denied on Certain Users
> | Date: Thu, 15 Sep 2005 08:51:08 -0700
> | Lines: 23
> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.win2000.security
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
> | X-Tomcat-NG: microsoft.public.win2000.security
> |
> | I am running into a situation where I am getting a few users that have
> | roaming profiles, in which I can not access their home directory on the
> | server when they are logged in, or even after they log off the network.
> |
> | Two things have happened that made me notice this.
> |
> | 1) I needed to remove a user profile from the network since I suspected
> that
> | it was corrupted. After the user logged of that night, I attempted to
> delete
> | the folder where their profile was stored. The server said Access Denied
> to
> | the Domain Admin. When I tried to look at the security, I was told I
> could
> | view the security or take ownership of the files. In order to finally
> remove
> | the user profile, I had to go to the domain server, take ownership of the
> | files, and finally I could delete the folder.
> |
> | 2) The second was that I needed to manually move a favorite from one user
> to
> | another, again, access denied.
> |
> | What is causing this to suddenly happen?
> |
> | How can I resolve this?
> |
> | Thanks
> | Smurfman
> |
>
>
Anonymous
a b 8 Security
September 16, 2005 12:11:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Notice that the permissions (ownership) of the profile are set when
first used, and the default at time of install of the system was to have
the profiles private. So, if later someone adjust the policies so that
Administrators have a grant, but the account had been used before
that time, they you would see the access denial. But, you also would
see the new profile with grant to Administrators after you have done
as you described, taking ownership and deleting (assuming the policy
was adjusted to grant to Administrators).
IOW you may be dealing with a historical artifact.
--
ra
"Smurfman" <smurfman@news.postalias> wrote in message
news:ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com...
> Okay, question in this regard. After my last post I went to last weeks
> USER1, tried to open the profile, and I get the access denied message...
>
> BUT, on USER2, whom I was denied access to this week, I can get into the
> profile.
>
> See I have never made a setting so that the admin did not have rights to
> the
> profiles, and I can't understand why some profiles I can get into (even
> for
> new users on XP machines created a month ago) and old users created years
> ago.
>
> I also can't understand why this behavior changes from user to user...?
>
> I will check the two settings you mentioned....but I have never made any
> changes to these...to enforce this kind of behavior. One of you mentioned
> that in Windows 2000 Pro and XP Pro this was the default behavior. - By
> default, are the profiles only locked when the user logs into the domain,
> or
> are they always locked? Even after the user logs out...
>
> J
>
> "Ken Zhao [MSFT]" wrote:
>
>> Hello,
>>
>> Thank you for using newsgroup!
>>
>> From your post, in fact, some group policy objects are related to the
>> roaming profile security setting. You may refer to the following
>> configurations:
>>
>> Computer Configuration\Administrative Templates\System\User Profiles\Add
>> the Administrators security group to roaming user profiles
>>
>> This setting adds the Administrator security group to the roaming user
>> profile share. Once an administrator has configured a users' roaming
>> profile, the profile will be created at the user's next login. The
>> profile
>> is created at the location that is specified by the administrator. For
>> the
>> Windows 2000 Professional and Windows XP Professional operating systems,
>> the default file permissions for the newly generated profile are full
>> control, or read and write access for the user, and no file access for
>> the
>> administrators group. By configuring this setting, you can alter this
>> behavior. If you enable this setting, the administrator group is also
>> given full control to the user's profile folder.
>>
>> Computer Configuration\Administrative Templates\System\User Profiles\Do
>> not
>> check for user ownership of Roaming Profile Folders
>>
>> This setting disables the more secure default setting for the user's
>> roaming user profile folder. Once an administrator has configured a
>> users'
>> roaming profile, the profile will be created at the user's next login.
>> The
>> profile is created at the location that is specified by the
>> administrator.
>> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
>> systems, the default file permissions for the newly generated profile are
>> full control access for the user and no file access for the
>> administrators
>> group. No checks are made for the correct permissions if the profile
>> folder
>> already exists. For Windows Server 2003 family, Windows 2000 Professional
>> SP4 and Windows XP SP1, the default behavior is to check the folder for
>> the
>> correct permissions if the profile folder already exists, and not copy
>> files to or from the roaming folder if the permissions are not correct.
>> By
>> configuring this setting, you can alter this behavior.
>>
>> For more information, please refer to the following article:
>>
>> Group Policy Recommendations for Roaming User Profiles: Group Policy
>> <http://www.microsoft.com/technet/prodtechnol/windowsser...
>> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
>>
>> Security Recommendations for Roaming User Profiles Shared Folders: Group
>> Policy
>> <http://www.microsoft.com/technet/prodtechnol/windowsser...
>> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
>>
>> Hope the information helps!
>>
>> Thanks & Regards,
>>
>> Ken Zhao
>>
>> Microsoft Online Partner Support
>> Get Secure! - www.microsoft.com/security
>>
>> =====================================================
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>> =====================================================
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> Newsgroup Web Interface Upgrade
>> Please complete a one-time registration process on your first visit to
>> the
>> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
>> secure
>> code mspp2005 when prompted. This secure code will be valid for 6 months
>> after which you will need to update your registration by entering the new
>> secure code. We will post announcements in the newsgroups prior to
>> expiration. Once you have entered the secure code mspp2005 , you will be
>> able to update your profile and access the the partner newsgroups. Please
>> update your Favorites link to the newsgroups web page, your current link
>> will redirect until November 1, 2005.
>> Please post any comment, questions or concerns to the
>> microsoft.private.directaccess.partnerfeedback newsgroup. For more
>> information, please go to:
>> https://partner.microsoft.com/global/technicalsupport/r...
>> 4662
>>
>>
>> --------------------
>> | Thread-Topic: User Profile Access Denied on Certain Users
>> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
>> | X-WBNR-Posting-Host: 209.217.222.70
>> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
>> | Subject: User Profile Access Denied on Certain Users
>> | Date: Thu, 15 Sep 2005 08:51:08 -0700
>> | Lines: 23
>> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
>> | MIME-Version: 1.0
>> | Content-Type: text/plain;
>> | charset="Utf-8"
>> | Content-Transfer-Encoding: 7bit
>> | X-Newsreader: Microsoft CDO for Windows 2000
>> | Content-Class: urn:content-classes:message
>> | Importance: normal
>> | Priority: normal
>> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>> | Newsgroups: microsoft.public.win2000.security
>> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
>> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
>> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
>> | X-Tomcat-NG: microsoft.public.win2000.security
>> |
>> | I am running into a situation where I am getting a few users that have
>> | roaming profiles, in which I can not access their home directory on the
>> | server when they are logged in, or even after they log off the network.
>> |
>> | Two things have happened that made me notice this.
>> |
>> | 1) I needed to remove a user profile from the network since I suspected
>> that
>> | it was corrupted. After the user logged of that night, I attempted to
>> delete
>> | the folder where their profile was stored. The server said Access
>> Denied
>> to
>> | the Domain Admin. When I tried to look at the security, I was told I
>> could
>> | view the security or take ownership of the files. In order to finally
>> remove
>> | the user profile, I had to go to the domain server, take ownership of
>> the
>> | files, and finally I could delete the folder.
>> |
>> | 2) The second was that I needed to manually move a favorite from one
>> user
>> to
>> | another, again, access denied.
>> |
>> | What is causing this to suddenly happen?
>> |
>> | How can I resolve this?
>> |
>> | Thanks
>> | Smurfman
>> |
>>
>>
Anonymous
a b 8 Security
September 19, 2005 2:59:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Roger,

Thanks for your notifications!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/r...
4662


--------------------
| From: "Roger Abell [MVP]" <mvpNoSpam@asu.edu>
| References: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
<o40PZiouFHA.1080@TK2MSFTNGXA01.phx.gbl>
<ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com>
| Subject: Re: User Profile Access Denied on Certain Users
| Date: Fri, 16 Sep 2005 08:11:53 -0700
| Lines: 197
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <OtbK7DtuFHA.3256@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: ppp_149_169_167_96.inre.asu.edu 149.169.167.96
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15193
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Notice that the permissions (ownership) of the profile are set when
| first used, and the default at time of install of the system was to have
| the profiles private. So, if later someone adjust the policies so that
| Administrators have a grant, but the account had been used before
| that time, they you would see the access denial. But, you also would
| see the new profile with grant to Administrators after you have done
| as you described, taking ownership and deleting (assuming the policy
| was adjusted to grant to Administrators).
| IOW you may be dealing with a historical artifact.
| --
| ra
| "Smurfman" <smurfman@news.postalias> wrote in message
| news:ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com...
| > Okay, question in this regard. After my last post I went to last weeks
| > USER1, tried to open the profile, and I get the access denied message...
| >
| > BUT, on USER2, whom I was denied access to this week, I can get into the
| > profile.
| >
| > See I have never made a setting so that the admin did not have rights
to
| > the
| > profiles, and I can't understand why some profiles I can get into (even
| > for
| > new users on XP machines created a month ago) and old users created
years
| > ago.
| >
| > I also can't understand why this behavior changes from user to user...?
| >
| > I will check the two settings you mentioned....but I have never made any
| > changes to these...to enforce this kind of behavior. One of you
mentioned
| > that in Windows 2000 Pro and XP Pro this was the default behavior. - By
| > default, are the profiles only locked when the user logs into the
domain,
| > or
| > are they always locked? Even after the user logs out...
| >
| > J
| >
| > "Ken Zhao [MSFT]" wrote:
| >
| >> Hello,
| >>
| >> Thank you for using newsgroup!
| >>
| >> From your post, in fact, some group policy objects are related to the
| >> roaming profile security setting. You may refer to the following
| >> configurations:
| >>
| >> Computer Configuration\Administrative Templates\System\User
Profiles\Add
| >> the Administrators security group to roaming user profiles
| >>
| >> This setting adds the Administrator security group to the roaming user
| >> profile share. Once an administrator has configured a users' roaming
| >> profile, the profile will be created at the user's next login. The
| >> profile
| >> is created at the location that is specified by the administrator.
For
| >> the
| >> Windows 2000 Professional and Windows XP Professional operating
systems,
| >> the default file permissions for the newly generated profile are full
| >> control, or read and write access for the user, and no file access for
| >> the
| >> administrators group. By configuring this setting, you can alter this
| >> behavior. If you enable this setting, the administrator group is also
| >> given full control to the user's profile folder.
| >>
| >> Computer Configuration\Administrative Templates\System\User
Profiles\Do
| >> not
| >> check for user ownership of Roaming Profile Folders
| >>
| >> This setting disables the more secure default setting for the user's
| >> roaming user profile folder. Once an administrator has configured a
| >> users'
| >> roaming profile, the profile will be created at the user's next login.
| >> The
| >> profile is created at the location that is specified by the
| >> administrator.
| >> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
| >> systems, the default file permissions for the newly generated profile
are
| >> full control access for the user and no file access for the
| >> administrators
| >> group. No checks are made for the correct permissions if the profile
| >> folder
| >> already exists. For Windows Server 2003 family, Windows 2000
Professional
| >> SP4 and Windows XP SP1, the default behavior is to check the folder
for
| >> the
| >> correct permissions if the profile folder already exists, and not copy
| >> files to or from the roaming folder if the permissions are not
correct.
| >> By
| >> configuring this setting, you can alter this behavior.
| >>
| >> For more information, please refer to the following article:
| >>
| >> Group Policy Recommendations for Roaming User Profiles: Group Policy
| >>
<http://www.microsoft.com/technet/prodtechnol/windowsser...
| >> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
| >>
| >> Security Recommendations for Roaming User Profiles Shared Folders:
Group
| >> Policy
| >>
<http://www.microsoft.com/technet/prodtechnol/windowsser...
| >> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
| >>
| >> Hope the information helps!
| >>
| >> Thanks & Regards,
| >>
| >> Ken Zhao
| >>
| >> Microsoft Online Partner Support
| >> Get Secure! - www.microsoft.com/security
| >>
| >> =====================================================
| >> When responding to posts, please "Reply to Group" via your newsreader
so
| >> that others may learn and benefit from your issue.
| >> =====================================================
| >> This posting is provided "AS IS" with no warranties, and confers no
| >> rights.
| >>
| >>
| >> Newsgroup Web Interface Upgrade
| >> Please complete a one-time registration process on your first visit to
| >> the
| >> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
| >> secure
| >> code mspp2005 when prompted. This secure code will be valid for 6
months
| >> after which you will need to update your registration by entering the
new
| >> secure code. We will post announcements in the newsgroups prior to
| >> expiration. Once you have entered the secure code mspp2005 , you will
be
| >> able to update your profile and access the the partner newsgroups.
Please
| >> update your Favorites link to the newsgroups web page, your current
link
| >> will redirect until November 1, 2005.
| >> Please post any comment, questions or concerns to the
| >> microsoft.private.directaccess.partnerfeedback newsgroup. For more
| >> information, please go to:
| >>
https://partner.microsoft.com/global/technicalsupport/r...
| >> 4662
| >>
| >>
| >> --------------------
| >> | Thread-Topic: User Profile Access Denied on Certain Users
| >> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
| >> | X-WBNR-Posting-Host: 209.217.222.70
| >> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
| >> | Subject: User Profile Access Denied on Certain Users
| >> | Date: Thu, 15 Sep 2005 08:51:08 -0700
| >> | Lines: 23
| >> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
| >> | MIME-Version: 1.0
| >> | Content-Type: text/plain;
| >> | charset="Utf-8"
| >> | Content-Transfer-Encoding: 7bit
| >> | X-Newsreader: Microsoft CDO for Windows 2000
| >> | Content-Class: urn:content-classes:message
| >> | Importance: normal
| >> | Priority: normal
| >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| >> | Newsgroups: microsoft.public.win2000.security
| >> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| >> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| >> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
| >> | X-Tomcat-NG: microsoft.public.win2000.security
| >> |
| >> | I am running into a situation where I am getting a few users that
have
| >> | roaming profiles, in which I can not access their home directory on
the
| >> | server when they are logged in, or even after they log off the
network.
| >> |
| >> | Two things have happened that made me notice this.
| >> |
| >> | 1) I needed to remove a user profile from the network since I
suspected
| >> that
| >> | it was corrupted. After the user logged of that night, I attempted
to
| >> delete
| >> | the folder where their profile was stored. The server said Access
| >> Denied
| >> to
| >> | the Domain Admin. When I tried to look at the security, I was told I
| >> could
| >> | view the security or take ownership of the files. In order to
finally
| >> remove
| >> | the user profile, I had to go to the domain server, take ownership
of
| >> the
| >> | files, and finally I could delete the folder.
| >> |
| >> | 2) The second was that I needed to manually move a favorite from one
| >> user
| >> to
| >> | another, again, access denied.
| >> |
| >> | What is causing this to suddenly happen?
| >> |
| >> | How can I resolve this?
| >> |
| >> | Thanks
| >> | Smurfman
| >> |
| >>
| >>
|
|
|
!