?
Solved

How do I get roaming profile to ignore user cookies

Posted on 2007-12-04
6
Medium Priority
?
4,179 Views
Last Modified: 2011-08-18
More complicated than title implies--
We have kiosks which automatically login using a roaming profile.  Using GPO Computer Config|admin templates|system user profiles| we prevent roaming profile changes from propagating to the server, except for one kiosk which we use for setting the single user profile.
Upon login, the kiosks are showing an error-- can't copy the cookies\index.dat file centrally to the
local cookies directory.
If I delete the index.dat file from the roaming profile\cookies directory on the server, the kiosks login fine.  But if I logout and in on the one kiosk allowed to propogate to the server, the other kiosks fail with the same error because index.dat is rewritten to the roaming profile\cookies directory.
1.  I've deleted all temporary internet files on the workstation that we use to define the roaming profile.  The same index.dat file and the other cookie files still get remade on the server when this one workstation logs out.  I've searched for this index.dat file on the workstation that is sending the cookies to the roaming profile--- there are index files but not this index.dat file-- which is always exactly the same and the same date (3 weeks old).

2.I thought that the default was that temporary internet files are not written to the roaming profile.

Thanks in advance.

0
Comment
Question by:dakota5
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:mcse2007
ID: 20409801
Have you try  DENYING  the user access to the cookies folder from ACL? Will you still get the error?
0
 

Author Comment

by:dakota5
ID: 20417131
The cookies folder on the server (sysvol\sysvol\domain-name\user profiles\user\cookies) is peculiar.
Unlike the rest of the folders in the user profile, cookies does not have sharing and security settings.  I tried to remove rights to the file index.dat but nothing works.

I noticed that on the computer that is propagating the roaming profile, the cookies directory only appears in the user profile when that user is logged in.  And when that user is logged in, the index.dat file can't be deleted-- it is being used.
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20417312
You have to DENY the user through ACL from the COOKIES folder and not on the index.dat file !
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:dakota5
ID: 20417410
The cookies folder in the roaming profile does not have an Access Control List.  As I mentioned, it is the only one of the folders whose right-click option does not include "Sharing and Security" in the drop down.  I guess I could try to recreate the folder, but that would be complicated.

In addition, if I succeed in blocking access to the folder, the copying of the folder that is attempted on user login will fail and still give me an error, won't it?  I need to keep the propagating workstation from writing the index.dat file in the first place, but probably not by denying access to the directory-- because that will also generate an error.

Any idea how to get the propagating workstation to stop trying to copy it's cookies directory back to the roaming profile?  There is an administrative GPO for login that allows you to block directories from being written to the profile, but doing so creates other login errors reading other temporary internet files.
0
 
LVL 7

Accepted Solution

by:
mcse2007 earned 1500 total points
ID: 20417483
o.k I see what you mean.

Go into the server hosting the roaming profile, find a particular user profile and look for cookies folder. Right click on it and select properties then select the 'Security' tab. Here set the DENY modify everyone.
This will deny anyone from writing any files inside the cookies folder.

You have to logon as administrator in the hosting server that service the roaming profiles and have at least full control permission to the partition drive where the roam folders are housed.
0
 

Author Comment

by:dakota5
ID: 20428446
The cookies folder has no security tab on write click.  I think there is something unique about an active roaming profile central cookies folder.  However, I think I solved the problem by deleting the cookies folder on the server-- I should have tried this earlier.
On reboot, the propagating workstation recreated a new cookies folder.  It has the same files in it that the "bad" folder had (same dates, same sizes), but the roaming profile workstations now have no problem.  Incidentally, this cookies folder also does not have a security tab on right click.  Must be something about roaming profiles and cookies folders.
Anyway, problem solved.  Thank you for pushing me in this direction.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month12 days, 13 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question