Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Local Administrator and Temporary Profile

Posted on 2014-02-12
3
Medium Priority
?
872 Views
Last Modified: 2014-02-27
We have a fairly large Active Directory installation running on Server 2008 R2. A majority of our users are successfully using roaming profiles, and we have a number of Group Policies controlling folder re-direction and the cleanup of cached profiles from the various workstations the roaming profile users are allowed to use. Recently, after some Group Policy changes, we started to see that when a local administrator logged on to the workstations that the roaming profile users are allowed to use, the local administrator is receiving an error message about their roaming profile and is being logged in with a temporary profile. The Group Policy that deletes the cached profiles has a scope for Authenticated Users.

How do I fix this problem so that when I log into a workstation and/or server as the local administrator, I do not get a temporary profile but get the profile I had the last time I logged into that workstation and/or server?
0
Comment
Question by:mharris3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 39854650
The Authenticated Users group, being a system group, obviously includes the Administrator account. I'd scope it to the Users group instead, which doesn't include the local admin account or administrators group. The only potential problem here would be domain controllers, where logging on as a domain administrator, that account could possibly by default be a member of the domain Users group.  It's easily checked and removed from that group, though, if you need to do so. I'm not even 100% sure that the group policy would apply in that scenario, but I would test it before relying on it's not being applied.
0
 

Author Comment

by:mharris3
ID: 39854698
So Hypercat, even if the "set roaming profile path..." option is set in the GPO, limiting the scope to only those users who use roaming profiles should fix this problem?
0
 
LVL 38

Accepted Solution

by:
Hypercat (Deb) earned 2000 total points
ID: 39854770
Yes. On the specific policy that you use to control the deletion of the cached roaming profiles, on the Scope page under Security filtering, list only the group for the users who use roaming profiles.  This limits the ability to read (apply) the group policy settings to just that security group. Note that if this policy contains any other settings, those settings will only apply to that group as well - it's a global setting for the group policy. You could create a specific group for this if you don't already have one and add the roaming users to that group.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question