Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NT server with 2k workstations permission problems, no admin privilidg

Status
Not open for further replies.
ryeookin

ryeookin

MIS
Joined
Aug 21, 2002
Messages
4
Location
US
I have nt4 server (with sp6a) that ran with NT4 workstations but I just upgraded the 30 some workstations to win2kpro. Every time a new account is created on the server, when they login via a 2k workstation their profile on the server loses its administrator 'all' permissions with only the system and the username having permissions to the folder.. This results in not being able to view or access the files in the profile on the server of any newly created user. Their are files in the user profile.. just don't have the permissions. If I take ownership of the folder then it erases the other permissions and I would need to re-add them and this would not fix the problem as newly created accounts would still lack admin permissions.

1st) The users' profiles are stored on an NTFS partition on the NT server. When a new account is created and they login to one of the w2k Pro workstations for the first time their user profile folder is then created on the server. The profile that is then created is owned by the user and not the administrator (I believe this is part of the problem) and the admin can't do anything with the folder other then taking ownership himself (which erases all access permissions of the folder) and is a pain in the butt because you have to answer "yes" to take permissions for each subdirectory in the user's profile directory.

2nd The only thing we changed was upgrading the workstations to win2k.. and by upgrading I mean formatting, installing and ghosting to the other workstations. It would seem that the new 2k workstations are the culprit.. but not quite sure how or why?

I have looked all over the net and Microsoft's TechNet to no avail. I tried upgrading to w2k sp3 and that didn't help. I also logged in with a new account from a computer other then the ghosted ones thinking that perhaps something was wrong with the ghosted image.. but when I logged on from a w2k pc that wasn't ghosted I still end up with the same problem (When I am on the server I can't access their profile directory's.. administrator doesn't have ownership of the folder and doesn't have any permissions to view or do anything with the folder much less see any files there in).

Any incite would be greatly appreciated. Thanks :)
 
Sort by date Sort by votes
This statement from Microsoft might help.

Windows NT and Windows 2000
User profiles in Windows NT and Windows 2000, for the most part, function the same. These operating systems support local, roaming and mandatory profiles. However, there are some differences.
Windows NT 4. x uses the %SystemRoot%\Profiles folder to store profiles.
In Windows 2000, the Systemdrive\Documents and Settings folder is used. Computers that are upgraded from Windows NT 4. x to Windows 2000 will retain and use the %SystemRoot%\Profiles folder.
Windows NT 4. x handled duplicate down-level account names by adding the following to the username of the profile, where each subsequent logon with a different user of the same name would increment the suffix by one:
.000
Windows 2000 handles duplicate down-level account names as well but in a slightly more intuitive manner. A suffix is placed on the username of the profile that is either the name of the domain, if the user account is a domain account, or the name of the computer, if the user account is a local user account. If, by chance, another user with the same name from the same domain or computer logs onto the machine, Windows 2000 adds a .000 suffix to the domain or computer name. If the action happens again, it then starts incrementing the .000 as well.
Windows NT 4. x profile merge algorithm was not a merge but rather an Xcopy with full synchronization support.

Specifically look at where the NT 4.x profile is stored. \Systemroot\Profiles, this is usually C:\WINNT\Profiles. Now if you logon and pull your profile from the server, in essence you are logging onto the workstation as a guest. Guest by default may not have enouph permissions to access the C:\Winnt directory. "Power user" does have sufficient rights to the C:\WINNT directory.
 
Upvote 0 Downvote
Quote
"Specifically look at where the NT 4.x profile is stored. \Systemroot\Profiles, this is usually C:\WINNT\Profiles. Now if you logon and pull your profile from the server, in essence you are logging onto the workstation as a guest. Guest by default may not have enouph permissions to access the C:\Winnt directory. "Power user" does have sufficient rights to the C:\WINNT directory."

The thing is the workstations who log onto the server create their account just fine on the nt server (and the roaming profiles for these accounts are stored in D:\profiles , not on the root in this case). The end user doesn't have a problem actually.. its me and the other admins. When the new account is created we can't access the roaming profile on the d drive. The user who logged into their account has ownership as usual however the administrator doesn't have any permissions to the folder or the files there in which is definatly abnormal.. Normally the 3 permissions that are on the folders are:
1) the account user (their name)
2) system
3) administrator

The permissions new accounts start with now when created and logged into via a win2k workstation:
1) the account user (their name)
2) system

And thats it.. the new accounts don't give access to administrator :(

Any clue anyone??
 
Upvote 0 Downvote
If you use the Admin Wizzard in NT4 to create a new user this automatically creates a users home directory with the user as the owner. This is by design. So now what you would need to do is Automate folder permissions. Here is the article on that: Q180464. Maybe this might shed some light on the problem or possibly fix it totally.
Good luck.
 
Upvote 0 Downvote
I read that article and their is a problem with automateing it.. How do you?
Such that even running a basic:

cacls d:\profiles\<profilename> /t /e /g administrators:f
Access denied

Won't work.. :( The administrator has no permissions/access to the folders/files in the profile in this case and with out that they can't modify the Acess Control List (with the cacls command) to change permissions without takeing ownership of the file.

:(
 
Upvote 0 Downvote
Look at this article in MS KB Q288991. This addresses the problem of getting the Administrator account to access a users home folder by default after it is created and this I believe is the original problem.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

techbrain1
  • Question Question
Explorer Error the operating system is not compatible with this product
Replies
0
Views
262
techbrain1
techbrain1
MaioMaio
  • Locked
  • Question Question
Server Remote Desktop License
Replies
0
Views
706
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
893
Aquiles Vidal
Aquiles Vidal
ravalos
  • Locked
  • Question Question
Problem with PDFs in IIS
Replies
1
Views
2K
gbaughma
gbaughma
DrB0b
  • Locked
  • Question Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
1K
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top