Re: [Samba] User can only login as admin, group policy fails the logon otherwise
On 6/2/2012 12:37 PM, Michael B. Trausch wrote: I have a Samba 3.5 server that services seven Windows 7 computers. When the setup was originally installed, all workstations were independent systems and so all users had local administrative privilege. I have removed admin rights from all users but one. This user has a problem. We'll call the user 'dmc' though that isn't his real username. In any event, dmc is a member of the local Administrators group on his assigned workstation. I've tried a few times in the past to remove his admin rights, but when I do so, he is unable to login with an error about Group Policy failing the logon, access is denied. If I restore the admin rights, the user can logon successfully. The user cannot logon to any other workstation on the network. I did not encounter this problem with any other user, so this is definitely unique to dmc. According to everything that I can find via Google, the generally accepted solution is to delete the user's cached version of his roaming profile and then delete his profile on the server. I can't accept this, as this would mean that the user would virtually have to start from scratch. We are using folder redirection, so some information would be relatively easily retained, but the problem is that I'd like to find some way to figure out what's going on and to fix it. I realize that this may not exactly be a Samba question: I am 99% certain that the problem is caused by something in the user's NTUSER.DAT file stored within his roaming profile that the Group Policy Client does not like. The problem that I am having is that I don't know how to determine what that is. The user's hive is large and therefore impractical to go through by hand without some notion of what to look for. Can anyone offer any suggestions other than deleting the user's profile and effectively starting from scratch? Would anything in the Control Panel key in the user's NTUSER.DAT cause this? Is there some way to configure either Windows or Samba to log any additional information that can help me narrow down the problem so that I am able to at least identify the cause? If I can just find the cause, I'm confident that I can fix it without blowing the user's profile away entirely. Also, there are no customizations to group policy on any of the workstations in this domain. Much appreciated, Michael Trausch You can rename his profile folder, that way windows thinks it is gone and recreates it. after it is recreated you have to go through and copy his files from his backup profile to his new one. Also coping select folders from appdata\roaming and appdata\local will restore program settings. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] User can only login as admin, group policy fails the logon otherwise
I have a Samba 3.5 server that services seven Windows 7 computers. When the setup was originally installed, all workstations were independent systems and so all users had local administrative privilege. I have removed admin rights from all users but one. This user has a problem. We'll call the user 'dmc' though that isn't his real username. In any event, dmc is a member of the local Administrators group on his assigned workstation. I've tried a few times in the past to remove his admin rights, but when I do so, he is unable to login with an error about Group Policy failing the logon, access is denied. If I restore the admin rights, the user can logon successfully. The user cannot logon to any other workstation on the network. I did not encounter this problem with any other user, so this is definitely unique to dmc. According to everything that I can find via Google, the generally accepted solution is to delete the user's cached version of his roaming profile and then delete his profile on the server. I can't accept this, as this would mean that the user would virtually have to start from scratch. We are using folder redirection, so some information would be relatively easily retained, but the problem is that I'd like to find some way to figure out what's going on and to fix it. I realize that this may not exactly be a Samba question: I am 99% certain that the problem is caused by something in the user's NTUSER.DAT file stored within his roaming profile that the Group Policy Client does not like. The problem that I am having is that I don't know how to determine what that is. The user's hive is large and therefore impractical to go through by hand without some notion of what to look for. Can anyone offer any suggestions other than deleting the user's profile and effectively starting from scratch? Would anything in the Control Panel key in the user's NTUSER.DAT cause this? Is there some way to configure either Windows or Samba to log any additional information that can help me narrow down the problem so that I am able to at least identify the cause? If I can just find the cause, I'm confident that I can fix it without blowing the user's profile away entirely. Also, there are no customizations to group policy on any of the workstations in this domain. Much appreciated, Michael Trausch -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User can only login as admin, group policy fails the logon otherwise
Can you clarify a few things: - Are the machines now members of a domain? - Is the dmc user a domain user or a local user only? If he is a domain user, how did you migrate him from a local to a domain user account? Does he have the appropriate file permissions to the local profile? When you move someone from a local to a domain user account you need to make sure the profile permissions are updated. There is a Microsoft tool to help move a cache in these cases. - Assuming he is a domain user, is he unable to login on other computers by design? - Is this a desktop or a laptop? -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Michael B. Trausch Sent: Saturday, June 02, 2012 3:37 PM To: samba@lists.samba.org Subject: [Samba] User can only login as admin, group policy fails the logon otherwise I have a Samba 3.5 server that services seven Windows 7 computers. When the setup was originally installed, all workstations were independent systems and so all users had local administrative privilege. I have removed admin rights from all users but one. This user has a problem. We'll call the user 'dmc' though that isn't his real username. In any event, dmc is a member of the local Administrators group on his assigned workstation. I've tried a few times in the past to remove his admin rights, but when I do so, he is unable to login with an error about Group Policy failing the logon, access is denied. If I restore the admin rights, the user can logon successfully. The user cannot logon to any other workstation on the network. I did not encounter this problem with any other user, so this is definitely unique to dmc. According to everything that I can find via Google, the generally accepted solution is to delete the user's cached version of his roaming profile and then delete his profile on the server. I can't accept this, as this would mean that the user would virtually have to start from scratch. We are using folder redirection, so some information would be relatively easily retained, but the problem is that I'd like to find some way to figure out what's going on and to fix it. I realize that this may not exactly be a Samba question: I am 99% certain that the problem is caused by something in the user's NTUSER.DAT file stored within his roaming profile that the Group Policy Client does not like. The problem that I am having is that I don't know how to determine what that is. The user's hive is large and therefore impractical to go through by hand without some notion of what to look for. Can anyone offer any suggestions other than deleting the user's profile and effectively starting from scratch? Would anything in the Control Panel key in the user's NTUSER.DAT cause this? Is there some way to configure either Windows or Samba to log any additional information that can help me narrow down the problem so that I am able to at least identify the cause? If I can just find the cause, I'm confident that I can fix it without blowing the user's profile away entirely. Also, there are no customizations to group policy on any of the workstations in this domain. Much appreciated, Michael Trausch -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User can only login as admin, group policy fails the logon otherwise
On 06/02/2012 03:50 PM, Gaiseric Vandal wrote: Can you clarify a few things: - Are the machines now members of a domain? Yes, the NT 4 domain that is in place and managed by Samba 3.5. - Is the dmc user a domain user or a local user only? If he is a domain user, how did you migrate him from a local to a domain user account? Does he have the appropriate file permissions to the local profile? When you move someone from a local to a domain user account you need to make sure the profile permissions are updated. There is a Microsoft tool to help move a cache in these cases. The user is a domain user. When the system was implemented, all users were required to start from scratch WRT profiles and settings; documents and so forth were moved from the local users' drives to their UNIX homes in a location that is pointed to by Windows' folder redirection. - Assuming he is a domain user, is he unable to login on other computers by design? No, he is unable to logon to other computers because of the same problem described in my OP. The only reason the user is allowed to logon to his assigned workstation is because for the moment he is a member of the workstation's administrators group. - Is this a desktop or a laptop? Desktop. All workstations on this network are attached to the domain and are identical systems. They are not mobile. --- Mike -- Michael B. Trausch President, Naunet Corporation Web: https://www.naunetcorp.com/ Phone: +1-(470)-201-5738 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
