[Samba] User can only login as admin, group policy fails the logon otherwise

Michael B. Trausch mbt at naunetcorp.com
Sat Jun 2 13:37:05 MDT 2012 

I have a Samba 3.5 server that services seven Windows 7 computers.  When
the setup was originally installed, all workstations were independent
systems and so all users had local administrative privilege.  I have
removed admin rights from all users but one.  This user has a problem.
We'll call the user 'dmc' though that isn't his real username.

In any event, dmc is a member of the local Administrators group on his
assigned workstation.  I've tried a few times in the past to remove his
admin rights, but when I do so, he is unable to login with an error
about Group Policy failing the logon, access is denied.  If I restore
the admin rights, the user can logon successfully.

The user cannot logon to any other workstation on the network.

I did not encounter this problem with any other user, so this is
definitely unique to dmc.

According to everything that I can find via Google, the generally
accepted solution is to delete the user's cached version of his roaming
profile and then delete his profile on the server.  I can't accept this,
as this would mean that the user would virtually have to start from
scratch.  We are using folder redirection, so some information would be
relatively easily retained, but the problem is that I'd like to find
some way to figure out what's going on and to fix it.

I realize that this may not exactly be a Samba question:  I am 99%
certain that the problem is caused by something in the user's NTUSER.DAT
file stored within his roaming profile that the Group Policy Client does
not like.  The problem that I am having is that I don't know how to
determine what that is.  The user's hive is large and therefore
impractical to go through by hand without some notion of what to look for.

Can anyone offer any suggestions other than deleting the user's profile
and effectively starting from scratch?  Would anything in the Control
Panel key in the user's NTUSER.DAT cause this?  Is there some way to
configure either Windows or Samba to log any additional information that
can help me narrow down the problem so that I am able to at least
identify the cause?  If I can just find the cause, I'm confident that I
can fix it without blowing the user's profile away entirely.

Also, there are no customizations to group policy on any of the
workstations in this domain.

	Much appreciated,
	Michael Trausch

-- 
Michael B. Trausch
President, Naunet Corporation

Web:   https://www.naunetcorp.com/
Phone: +1-(470)-201-5738

More information about the samba mailing list