samba - Jun 2012 - User can only login as admin, group policy fails the logon otherwise

I have a Samba 3.5 server that services seven Windows 7 computers.  When
the setup was originally installed, all workstations were independent
systems and so all users had local administrative privilege.  I have
removed admin rights from all users but one.  This user has a problem.
We'll call the user 'dmc' though that isn't his real username.

In any event, dmc is a member of the local Administrators group on his
assigned workstation.  I've tried a few times in the past to remove his
admin rights, but when I do so, he is unable to login with an error
about Group Policy failing the logon, access is denied.  If I restore
the admin rights, the user can logon successfully.

The user cannot logon to any other workstation on the network.

I did not encounter this problem with any other user, so this is
definitely unique to dmc.

According to everything that I can find via Google, the generally
accepted solution is to delete the user's cached version of his roaming
profile and then delete his profile on the server.  I can't accept this,
as this would mean that the user would virtually have to start from
scratch.  We are using folder redirection, so some information would be
relatively easily retained, but the problem is that I'd like to find
some way to figure out what's going on and to fix it.

I realize that this may not exactly be a Samba question:  I am 99%
certain that the problem is caused by something in the user's NTUSER.DAT
file stored within his roaming profile that the Group Policy Client does
not like.  The problem that I am having is that I don't know how to
determine what that is.  The user's hive is large and therefore
impractical to go through by hand without some notion of what to look for.

Can anyone offer any suggestions other than deleting the user's profile
and effectively starting from scratch?  Would anything in the Control
Panel key in the user's NTUSER.DAT cause this?  Is there some way to
configure either Windows or Samba to log any additional information that
can help me narrow down the problem so that I am able to at least
identify the cause?  If I can just find the cause, I'm confident that I
can fix it without blowing the user's profile away entirely.

Also, there are no customizations to group policy on any of the
workstations in this domain.

	Much appreciated,
	Michael Trausch

-- 
Michael B. Trausch
President, Naunet Corporation

Web:   https://www.naunetcorp.com/
Phone: +1-(470)-201-5738

Can you clarify a few things:

- Are the machines now members of a domain?

- Is the "dmc" user a domain user or a local user only?     If he is a
domain user, how did you migrate  him from a local to a domain user account?
Does he have the appropriate file permissions to the local profile?   When
you move someone from a local to a domain user account you need to make sure
the profile permissions are updated.  There is a Microsoft tool to help move
a cache in these cases.  

- Assuming he is a domain user, is he unable to login  on other computers by
design?  

- Is this a desktop or a laptop?  





-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Michael B. Trausch
Sent: Saturday, June 02, 2012 3:37 PM
To: samba at lists.samba.org
Subject: [Samba] User can only login as admin, group policy fails the logon
otherwise

I have a Samba 3.5 server that services seven Windows 7 computers.  When the
setup was originally installed, all workstations were independent systems
and so all users had local administrative privilege.  I have removed admin
rights from all users but one.  This user has a problem.
We'll call the user 'dmc' though that isn't his real username.

In any event, dmc is a member of the local Administrators group on his
assigned workstation.  I've tried a few times in the past to remove his
admin rights, but when I do so, he is unable to login with an error about
Group Policy failing the logon, access is denied.  If I restore the admin
rights, the user can logon successfully.

The user cannot logon to any other workstation on the network.

I did not encounter this problem with any other user, so this is definitely
unique to dmc.

According to everything that I can find via Google, the generally accepted
solution is to delete the user's cached version of his roaming profile and
then delete his profile on the server.  I can't accept this, as this would
mean that the user would virtually have to start from scratch.  We are using
folder redirection, so some information would be relatively easily retained,
but the problem is that I'd like to find some way to figure out what's
going
on and to fix it.

I realize that this may not exactly be a Samba question:  I am 99% certain
that the problem is caused by something in the user's NTUSER.DAT file stored
within his roaming profile that the Group Policy Client does not like.  The
problem that I am having is that I don't know how to determine what that is.
The user's hive is large and therefore impractical to go through by hand
without some notion of what to look for.

Can anyone offer any suggestions other than deleting the user's profile and
effectively starting from scratch?  Would anything in the Control Panel key
in the user's NTUSER.DAT cause this?  Is there some way to configure either
Windows or Samba to log any additional information that can help me narrow
down the problem so that I am able to at least identify the cause?  If I can
just find the cause, I'm confident that I can fix it without blowing the
user's profile away entirely.

Also, there are no customizations to group policy on any of the workstations
in this domain.

	Much appreciated,
	Michael Trausch

--
Michael B. Trausch
President, Naunet Corporation

Web:   https://www.naunetcorp.com/
Phone: +1-(470)-201-5738

On 6/2/2012 12:37 PM, Michael B. Trausch wrote:
> I have a Samba 3.5 server that services seven Windows 7 computers.  When
> the setup was originally installed, all workstations were independent
> systems and so all users had local administrative privilege.  I have
> removed admin rights from all users but one.  This user has a problem.
> We'll call the user 'dmc' though that isn't his real
username.
>
> In any event, dmc is a member of the local Administrators group on his
> assigned workstation.  I've tried a few times in the past to remove his
> admin rights, but when I do so, he is unable to login with an error
> about Group Policy failing the logon, access is denied.  If I restore
> the admin rights, the user can logon successfully.
>
> The user cannot logon to any other workstation on the network.
>
> I did not encounter this problem with any other user, so this is
> definitely unique to dmc.
>
> According to everything that I can find via Google, the generally
> accepted solution is to delete the user's cached version of his roaming
> profile and then delete his profile on the server.  I can't accept
this,
> as this would mean that the user would virtually have to start from
> scratch.  We are using folder redirection, so some information would be
> relatively easily retained, but the problem is that I'd like to find
> some way to figure out what's going on and to fix it.
>
> I realize that this may not exactly be a Samba question:  I am 99%
> certain that the problem is caused by something in the user's
NTUSER.DAT
> file stored within his roaming profile that the Group Policy Client does
> not like.  The problem that I am having is that I don't know how to
> determine what that is.  The user's hive is large and therefore
> impractical to go through by hand without some notion of what to look for.
>
> Can anyone offer any suggestions other than deleting the user's profile
> and effectively starting from scratch?  Would anything in the Control
> Panel key in the user's NTUSER.DAT cause this?  Is there some way to
> configure either Windows or Samba to log any additional information that
> can help me narrow down the problem so that I am able to at least
> identify the cause?  If I can just find the cause, I'm confident that I
> can fix it without blowing the user's profile away entirely.
>
> Also, there are no customizations to group policy on any of the
> workstations in this domain.
>
> 	Much appreciated,
> 	Michael Trausch
>
>
>
>
You can rename his profile folder, that way windows thinks it is gone 
and recreates it. after it is recreated you have to go through and copy 
his files from his "backup" profile to his new one. Also coping select
folders from appdata\roaming and appdata\local will restore program 
settings.