Roaming Profile Folders Do Not Allow Administrative Access

Article translations Article translations
Article ID: 222043 - View products that this article applies to.
This article was previously published under Q222043
Expand all | Collapse all

SYMPTOMS

When a roaming profile is written for the first time, permissions for the created folder (\\Server\Profile\Username) that contains the roaming profile are set as follows:
System: Full Control
Username: Full Control
Therefore, administrators do not have control of this area.

CAUSE

In Microsoft Windows NT 4.0, when the Administrators group is listed for the parent folder of the new user profile folder, this permission is inherited by the folder and files for the new user profile. In Windows 2000, this permission is applied to System and the user only, without inheritance from the parent.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix should have the following file attributes or later:
   Date        Time    Version        Size     File name 
   -------------------------------------------------------
   07/26/2000  09:36a                 738,586  System.adm
   01/19/2001  05:57a  5.0.2195.2780  370,448  Userenv.dll
				

You must apply this hotfix to all domain controllers and clients. The hotfix adds a new "Add the Administrators security group to roaming user profiles" policy that must be applied by using Group Policy. To enable this new policy:
  1. Start Microsoft Management Console (MMC). On the Console menu, click Add/Remove Snap-in.
  2. Add the Group Policy snap-in for the default domain policy. To do so, click Browse when you are prompted to select a Group Policy object (GPO). The default GPO is "Local Computer." Click Browse, and then click Default Domain Policy. You can also add GPOs for other domain partitions (specifically, organizational units).
  3. Double-click the following items to open them: Computer Configuration, Administrative Templates, System, and Logon.
  4. Click to select the Add the Administrators security group to roaming user profiles check box.
  5. Click either Enable or Disable to enable or disable the new policy.

WORKAROUND

To work around this behavior, create the user profile folder ahead of time with the appropriate permissions.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.

MORE INFORMATION

The default location of the System.adm file for a default domain policy is:
%SystemRoot%\Sysvol\Sysvol\DomainName\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\System.adm
The contents of these folders are replicated throughout a domain by the File Replication service (FRS). Note that the Adm folder is not populated until the default domain policy is loaded for the first time.

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
NOTE: Changes to a group policy object are not immediately imposed upon the target systems. To update this policy on the client, run the following command on the client:
Secedit /RefreshPolicy Machine_Policy /Enforce
For additional information about how this operates, please see the following article in the Microsoft Knowledge Base:
227302 Using SECEDIT to Force a Group Policy Refresh Immediately

Properties

Article ID: 222043 - Last Review: February 22, 2007 - Revision: 3.4
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Keywords: 
kbhotfixserver kbqfe kbbug kbfix kbwin2000presp2fix KB222043

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com