Always have to assign admin rights to users to allow initial logon. 1

[Calvenn]

Hello,

As a new member, I have to commend the group of professionals on this board for their ongoing assistance and contributions with the various questions and problems experienced by many.

You have to forgive me if my question sounds like a "low level" one. Unfortunately, I have strayed away from practicing and studying the Microsoft OS as much as I should. Instead, I have of late directed my focus primarily on the Cisco and Linux/Unix field of study, recently completing the CCNA, which is truly where my heart lies (Network technician, LAN,WAN engineering, etc)

Having just commenced a new position as a Desktop support technician for a major company in my area, and working primarily with Win2k on the desktop side, I have stumbled upon some issues. Actually, this particular problem existed before my arrival.

The problem: It seems that for some odd reason, after imaging and deploying PC's for users in one of our departments, we have to grant these users admin priviledges after this initial setup in order for them to successfully login to the system. Basically, we grant them admin rights, allow them to login with their user info and password. Once this process is complete, we then remove admin priviledges.

As you can see, this is not an efficient way of conducting things in any environment. We do know that this problem only exists with certain images however. Unfortunately, I don't have the exact error message with me at this time, but I recall something like "unable to copy to user profile". Has anyone encountered anything similar?

Again, forgive me if I'm not providing enough information. I would like to begin this dialogue in order to find a solution eventually.

Please contribute your thoughts and ideas on this subject.

Thank you.

 

[ProfFate]

What NTFS rights are assigned to the "c:\documents and settings\" folder? It sounds like the user is having problem creating their profile. Also look in "c:\documents and settings\", is there a "Default User" folder? This folder is hidden, so you will have to change your settings to see it. This folder is used to create new profiles as users login. If it's gone it will have problem creating new profiles.

MikeL

 

[bcastner]

My guess is that the sysprep image was not sealed properly. If after sealing the creator makes changes in the desktop settings, or references a remote network resource, the image is contaminated with administrator credentials.

The following discusses the issue in an XP context, but it perfectly applicable to Win2k:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q321281

 

[Calvenn]

Boy, you guys are quick! Anyhow, from what I gather from your responses, the bottom line is that the image might be corrupt and more than likely needs to be built from scratch? I figured this would be highly likely (Although I was hoping for another way to circumvent this problem) knowing that the other images don't suffer this particular anomaly. I will do further research concerning the error and as well as the other images. You guys have provided much insight and I truly appreciate your thoughts and advice. I will certainly apply what you have suggested here and also let you know of my findings.

MCP NT Server 4.0, CCNA

 

[bcastner]

If this is an Active Directory Domain setting, you really need someones credentials as a member of the Group Domain Administrators to:

. make the machine account addition to Active Directory'
. add the new user account

 

[wcburton]

When an image is built, a user is generally created and used to setup certain defaults on the desktop and other program settings. This users profile is then copied to the default user directory.

In case you are not familiar, this is in System Properties --> Advanced tab --> User profiles. Choose a profile and select the button labeled "copy to". In the dialog box that pops up, there is a section called "permitted to use". It is common for people to forget to change this to "Everyone" and would cause the situation you describe.

My solution is to go back to the image, re-copy the profile to Default User with the correct permissions, and re-seal the image. You could possibly just change the permissions on Documents and Settings\Default User but I am not as sure of that.