[Samba] Logins require local admin membership on Windows XP

[Lee Ball]

If anyone is interested I finally got to the bottom of this.

The problem? ntuser.dat. Why? The domain SID was different to the one 
listed in the ntuser.dat files.

Solved using the profiles command and a -c (change) and -n (new) switch.

For example, the ntuser.dat files inside each person profiles contained 
a reference to the a domain SID, but not the correct one, must be the 
old one I thought.

Running the command profiles -c {old domain ID} -n {new domain ID} 
ntuser.dat changes the ntuser.dat file to what it should be. However, if 
you just do this on the roaming profile and leave one locally on the 
clients machine then when you login it will just use the local one 
rather then the roaming one.

I know I could change the domain SID that is currently set to the old 
one (how it should have been done after the upgrade) but a) I don't 
quite know how and b) I'm sure it will break the new ntuser.dat files 
that have been created (new users) and will break some other things as I 
noticed that some people had the correct references in their .dat files.

Although this appears to work, there is one Windows XP machine and user 
account which has given me a headache.Even though I removed all traces 
of the users profiles and account from the machine and updated the 
ntuser.dat file on the server it still changed back once the user had 
logged in. Weird.

Only NT based OS's use the SIDs in this, which is why the Windows 98 
clients didn't have a problem as they are dumb when it comes to 
security. I guess adding local administrator rights allows any user on a 
domain to alter the HKey Local User registry settings.