Archived from groups: microsoft.public.win2000.security (
More info?)
Hi Roger,
Thanks for your notifications!
Thanks & Regards,
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662
--------------------
| From: "Roger Abell [MVP]" <mvpNoSpam@asu.edu>
| References: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
<o40PZiouFHA.1080@TK2MSFTNGXA01.phx.gbl>
<ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com>
| Subject: Re: User Profile Access Denied on Certain Users
| Date: Fri, 16 Sep 2005 08:11:53 -0700
| Lines: 197
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2670
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
| X-RFC2646: Format=Flowed; Original
| Message-ID: <OtbK7DtuFHA.3256@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: ppp_149_169_167_96.inre.asu.edu 149.169.167.96
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15193
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Notice that the permissions (ownership) of the profile are set when
| first used, and the default at time of install of the system was to have
| the profiles private. So, if later someone adjust the policies so that
| Administrators have a grant, but the account had been used before
| that time, they you would see the access denial. But, you also would
| see the new profile with grant to Administrators after you have done
| as you described, taking ownership and deleting (assuming the policy
| was adjusted to grant to Administrators).
| IOW you may be dealing with a historical artifact.
| --
| ra
| "Smurfman" <smurfman@news.postalias> wrote in message
| news:ACC44B62-E63A-4D81-BC33-F190DBAD6BA2@microsoft.com...
| > Okay, question in this regard. After my last post I went to last weeks
| > USER1, tried to open the profile, and I get the access denied message...
| >
| > BUT, on USER2, whom I was denied access to this week, I can get into the
| > profile.
| >
| > See I have never made a setting so that the admin did not have rights
to
| > the
| > profiles, and I can't understand why some profiles I can get into (even
| > for
| > new users on XP machines created a month ago) and old users created
years
| > ago.
| >
| > I also can't understand why this behavior changes from user to user...?
| >
| > I will check the two settings you mentioned....but I have never made any
| > changes to these...to enforce this kind of behavior. One of you
mentioned
| > that in Windows 2000 Pro and XP Pro this was the default behavior. - By
| > default, are the profiles only locked when the user logs into the
domain,
| > or
| > are they always locked? Even after the user logs out...
| >
| > J
| >
| > "Ken Zhao [MSFT]" wrote:
| >
| >> Hello,
| >>
| >> Thank you for using newsgroup!
| >>
| >> From your post, in fact, some group policy objects are related to the
| >> roaming profile security setting. You may refer to the following
| >> configurations:
| >>
| >> Computer Configuration\Administrative Templates\System\User
Profiles\Add
| >> the Administrators security group to roaming user profiles
| >>
| >> This setting adds the Administrator security group to the roaming user
| >> profile share. Once an administrator has configured a users' roaming
| >> profile, the profile will be created at the user's next login. The
| >> profile
| >> is created at the location that is specified by the administrator.
For
| >> the
| >> Windows 2000 Professional and Windows XP Professional operating
systems,
| >> the default file permissions for the newly generated profile are full
| >> control, or read and write access for the user, and no file access for
| >> the
| >> administrators group. By configuring this setting, you can alter this
| >> behavior. If you enable this setting, the administrator group is also
| >> given full control to the user's profile folder.
| >>
| >> Computer Configuration\Administrative Templates\System\User
Profiles\Do
| >> not
| >> check for user ownership of Roaming Profile Folders
| >>
| >> This setting disables the more secure default setting for the user's
| >> roaming user profile folder. Once an administrator has configured a
| >> users'
| >> roaming profile, the profile will be created at the user's next login.
| >> The
| >> profile is created at the location that is specified by the
| >> administrator.
| >> For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
| >> systems, the default file permissions for the newly generated profile
are
| >> full control access for the user and no file access for the
| >> administrators
| >> group. No checks are made for the correct permissions if the profile
| >> folder
| >> already exists. For Windows Server 2003 family, Windows 2000
Professional
| >> SP4 and Windows XP SP1, the default behavior is to check the folder
for
| >> the
| >> correct permissions if the profile folder already exists, and not copy
| >> files to or from the roaming folder if the permissions are not
correct.
| >> By
| >> configuring this setting, you can alter this behavior.
| >>
| >> For more information, please refer to the following article:
| >>
| >> Group Policy Recommendations for Roaming User Profiles: Group Policy
| >>
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
| >> it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>
| >>
| >> Security Recommendations for Roaming User Profiles Shared Folders:
Group
| >> Policy
| >>
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
| >> it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>
| >>
| >> Hope the information helps!
| >>
| >> Thanks & Regards,
| >>
| >> Ken Zhao
| >>
| >> Microsoft Online Partner Support
| >> Get Secure! - www.microsoft.com/security
| >>
| >> =====================================================
| >> When responding to posts, please "Reply to Group" via your newsreader
so
| >> that others may learn and benefit from your issue.
| >> =====================================================
| >> This posting is provided "AS IS" with no warranties, and confers no
| >> rights.
| >>
| >>
| >> Newsgroup Web Interface Upgrade
| >> Please complete a one-time registration process on your first visit to
| >> the
| >> Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the
| >> secure
| >> code mspp2005 when prompted. This secure code will be valid for 6
months
| >> after which you will need to update your registration by entering the
new
| >> secure code. We will post announcements in the newsgroups prior to
| >> expiration. Once you have entered the secure code mspp2005 , you will
be
| >> able to update your profile and access the the partner newsgroups.
Please
| >> update your Favorites link to the newsgroups web page, your current
link
| >> will redirect until November 1, 2005.
| >> Please post any comment, questions or concerns to the
| >> microsoft.private.directaccess.partnerfeedback newsgroup. For more
| >> information, please go to:
| >>
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
| >> 4662
| >>
| >>
| >> --------------------
| >> | Thread-Topic: User Profile Access Denied on Certain Users
| >> | thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
| >> | X-WBNR-Posting-Host: 209.217.222.70
| >> | From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
| >> | Subject: User Profile Access Denied on Certain Users
| >> | Date: Thu, 15 Sep 2005 08:51:08 -0700
| >> | Lines: 23
| >> | Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
| >> | MIME-Version: 1.0
| >> | Content-Type: text/plain;
| >> | charset="Utf-8"
| >> | Content-Transfer-Encoding: 7bit
| >> | X-Newsreader: Microsoft CDO for Windows 2000
| >> | Content-Class: urn:content-classes:message
| >> | Importance: normal
| >> | Priority: normal
| >> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| >> | Newsgroups: microsoft.public.win2000.security
| >> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| >> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| >> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
| >> | X-Tomcat-NG: microsoft.public.win2000.security
| >> |
| >> | I am running into a situation where I am getting a few users that
have
| >> | roaming profiles, in which I can not access their home directory on
the
| >> | server when they are logged in, or even after they log off the
network.
| >> |
| >> | Two things have happened that made me notice this.
| >> |
| >> | 1) I needed to remove a user profile from the network since I
suspected
| >> that
| >> | it was corrupted. After the user logged of that night, I attempted
to
| >> delete
| >> | the folder where their profile was stored. The server said Access
| >> Denied
| >> to
| >> | the Domain Admin. When I tried to look at the security, I was told I
| >> could
| >> | view the security or take ownership of the files. In order to
finally
| >> remove
| >> | the user profile, I had to go to the domain server, take ownership
of
| >> the
| >> | files, and finally I could delete the folder.
| >> |
| >> | 2) The second was that I needed to manually move a favorite from one
| >> user
| >> to
| >> | another, again, access denied.
| >> |
| >> | What is causing this to suddenly happen?
| >> |
| >> | How can I resolve this?
| >> |
| >> | Thanks
| >> | Smurfman
| >> |
| >>
| >>
|
|
|
Facebook
Twitter
Instagram