"Add the Administrators security group to roaming user profiles" still not allowing access

-

i'm doing testing of roaming profiles , have them working. administrator, cannot access each user's individual profile folder. have enabled gp setting "add administrators security group roaming user profiles" , done gpupdate on client pc i'm using first logon device user profile creation. gpresult shows gpo being applied, still doesn't grant me access.

i aware policy doesn't apply retroactively , folders created after gpo applied grant me access. i'm testing creating folder multiple times after i've created gpo. argument doesn't apply.

after digging, found old thread stated policy must configured on client pc user logging onto time in order work. tried doing , granted access after profile directory created.

but doesn't seem right answer. yes, solves problem. if have 500 computers in organisation, wouldn't mean you'd have enable setting on each , every 1 of them? no way admin want that.

can shed light on this?

ok, have solved issue.

in answer question configuring policy on potentially hundreds of computers, little confused being new server admin game. can configure client's policy settings client , work. there's easier way veteran sysadmins consider common sense: apply policy ou contains client pcs in ad users , computers.

by default, computer objects on server placed in computers container in ad when joined domain. since can't apply gpos container, had create ou them. here's did:

  1. i moved domain computers out of default computers container , own ou. careful when doing this, may affect existing policies have set up. far, mine have been ok.
  2. by following technet guide deploying roaming profiles on page, step 4 advises remove authenticated users security scope , replace group created earlier in guide. advise add authenticated users delegation tab of gpo domain computers correctly grab policy. (since update ms16-072, domain computers included authenticated users).

    here's part don't tell you: default, computer objects in domain not trusted delegation. makes adding authenticated users gpo delegation tab pointless. had go properties of each computer object in ad users , computers, click delegation tab , select "trust computer delegation service (kerberos only)". below:

    trust delegation

    3. logged in test user on client pc , corresponding roaming profile directory created. able instantly access directory domain admin without issues.

maybe allowing trust delegation setting common knowledge among sysadmins, i'm still learning ropes , others in situation.

the strange thing though gpo working intended, doesn't show being applied in gpresult. @ point don't care.



Windows Server  >  Windows Server 2016 Essentials



Comments

Post a Comment

Popular posts from this blog

CRL Revocation always failed

-
hi all, i try configure radius server nps, somehow certificate authentication client failed with reason: reason = revocation function unable check revocation because revocation server offline. then check certificate client, certutil -f -urlfetch -verify client7.cer, result follow: issuer:     cn=entca     dc=intra     dc=domain     dc=co     dc=sg subject:     cn=computer.intra.domain.co.sg cert serial number: 1c5b00de000000000041 dwflags = ca_verify_flags_allow_untrusted_root (0x1) dwflags = ca_verify_flags_ignore_offline (0x2) dwflags = ca_verify_flags_full_chain_revocation (0x8) dwflags = ca_verify_flags_console_trace (0x20000000) dwflags = ca_verify_flags_dump_chain (0x40000000) chainflags = cert_chain_revocation_check_chain (0x20000000) hcce_local_machine cert_chain_policy_base -------- cert_chain_context -------- chaincontext.dwinfostatus = cert_trust_has_preferred_issuer (0x100) chaincontext.dwerrorstatus = cert_trust_revocation_sta
Read more

Failed to query the results of bpa xpath

-
Image
i have new server installed hyper v, iis , domain services roles on it.  i checking event log , see warning multiple times, idea how rid of it?? failed query results of bpa xpath: microsoft/windows/fileservices:$reports$\*\result.xml:/resultdatabase/result. error: device attached system not functioning., last error: system cannot find path specified.. follow me on twitter <<< levalencia blog <<< hi, similar issue discussed in forum: to rid of warnings: 1. go dashboard 2. click on add roles , features 3. click next "before begin step" 4. select "role based or feature based installation" , click next 5. select given server server pool , click next 6. in server roles step make sure following checked:   file , storage services > file , iscsi services > file server, click next 7.click next through rest of steps , install server role 8. rerun bpa scan described earlier for more information please refer following ms
Read more

0x300000d errors in Microsoft Remote Desktop client

-
we use rd connect home users office. @ server side remote desktop gateway configured on 2008r2 server. experience following:   for years worked fine, starting last year users apple macbook experienced connection errors after new version of microsoft remote desktop in app store , automatic update. after couple of weeks error disappaered when new updates released. since 6 8 weeks problem again. because don’t have macbook cannot reproduce problem.   starting couple of weeks samsung s6 experiencing problems, here version 8.1.37.135 installed, error displayed is: can’t connect tot remote pc because remote desktop gateway server temporaraily unavailable. try connecting later or contact network administrator assistance. error code  0x300000d   because has worked fine years expect issues on client can configuration error on gateway server.   who pin point real cause?   however, testing other rd gateway server works ok settings identically. hi ruud, as works rd
Read more