Help with roaming profiles

  • Thread starter Thread starter Lee Cooper
  • Start date Start date
L

Lee Cooper

Hi

I wonder if any of you guys/girls can help.

We are running a Novell Netware 6 network with Windows
2000 client machines using Volitile Dynamic Local Users.

Our problem is that on our machines when the users login,
the users hive security is being changed.

Example Bad Machine:

If you check the ACL in ntuser.dat using regedt32 it shows
the security settings are (Administrators: Full Control,
System:

Full Control, Everyone: Full Control).

When you login to a faulty machine you wouldn't
immediately notice any problems with your profile. This is
because the DACL

on the registry key (HKEY_CURRENT_USER) has been changed
to contain the access control entry for your username. The
machine

also removes the access control entry for the Everyone
Group. This leaves the permissions on the registry key set
as follows.

Administrators: Full Control
System: Full Control
UserName: Full Control

When the user logs out of the machine the local user
account is removed from the machine and the profile
written back to the

server with the new settings.

Say a user has used their machine the previous day and the
profile has been corrupted (see above). The user has got
back to

work the next day and tried to login. The user would then
be faced with all of the symptoms regarding a corrupted
profile.

What in fact has happened is. The user now no longer has
the rights to see the registry key which is stored in the
file

NTUSER.DAT. This is because the machine has removed the
user account when the user logged out previously and now
doesn't know

who the user is referenced in the Security Descriptor of
the registry key in the NTUSER.DAT file. The permissions
now look

like this.

Administrators: Full Control
System: Full Control
S-1-5-21-704....: Full Control

When the user has logged back in to the machine the user
account has been created again, which means it will have a
different

SID associated with it. By looking at the DACL on the
registry key we can see that the only people who can see
this key once

loaded are Administrators and the SID which cannot be
resolved. This shows that the user cannot see any of their
roaming

profile which is where the user's personal settings are
stored.

This doesn't happen everytime you use a machine but as we
have upwards of 10,000 users you can imagine it is a BIG
problem.

We are using all the latest updates to the machines (just
imaged them for start of term) up to Novell Client 4.83
SP2 E and

ZenWorks 3.2.

When the permissions are not changed on the Registry hive
the users are not having any other problems at all.

Any help would be appriciated as we feel we are banging
our heads against a brick wall.

Cheers
Lee Cooper
 
On Novell's website you find a tool named "regperm". Use this tool to
correct the permissions after you are logged in, e.g. via NetInstall

User logs on, permissions are changed... User is logged on, you change
it back. Good settings are written back to the server.
 
Thanks Holger

We will be giving this a try next week. We apreciate the
help.

Lee Cooper
 
Back
Top