Administrators' profiles deleted when having Guest status

  • Thread starter Thread starter Baboon
  • Start date Start date
B

Baboon

Our solution for preventing users from leaving behind profiles on lab
machines has been to add the Domain Users group to the Guests group on those
machines. As long as a user was a member of the Administrators group on the
machine, that user's profile would not be deleted.

I just discovered that with Vista, even Adminstrators' profiles are deleted
in this scenario (of course I mean users with admin rights who are Domain
Users). This happens even if the admin user's profile existed before adding
Domain Users to the Guest group.

I don't know of a Group Policy setting that will delete user profiles, other
than for roaming ones. Can anyone think of a solution for this?

(Fortunately Vista has volume shadow copies of everything by default, so I
was able to restore the important files from my profile after it was deleted!)
 
Hi,

Thank you for posting.

I have tested this issue on my Windows Vista machine and I can reproduce
this issue:

If an domain user belongs to both Domain Guests group and a client's local
Administrators group, when logging on this user account on the client, a
temporarily user profile is created. When logging off this account, this
user profile will be deleted.

It is not recommended to add Domain Users group to (Domain) Guests group.

Now if you would like to prevent users from leaving behind profiles on
clients while preserve administrator profiles, you can use the following
method:

1. For non- clients' administrator domain users, add them to Domain Guests
group. When logging on them on clients, only temporarily profiles will be
created

2. For clients' administrator domain users, add them to clients' local
Administrators group. When logging on them on clients, permanent profiles
will be created.

If anything in my e-mail is unclear or you need further help, don't
hesitate to let me know.

Sincerely,
Tim Quan
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Thanks for the quick and clear reponse.

That solution would not work, as we have potentially 10,000 domain users who
would use those machines. If I could put all of the non admin users into a
group that is exactly what I would have done, but there are just too many.
 
Hi,

Thank you for the reply.

I understand it is time-consuming. However, I am afraid that you have to do
so manually since this is the only way to resolve this issue at the current
situation .

Sincerely,
Tim Quan
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top