[Samba] User can only login as admin, group policy fails the logon otherwise

Gaiseric Vandal gaiseric.vandal at gmail.com
Sat Jun 2 13:50:52 MDT 2012 

Can you clarify a few things:

- Are the machines now members of a domain?

- Is the "dmc" user a domain user or a local user only?     If he is a
domain user, how did you migrate  him from a local to a domain user account?
Does he have the appropriate file permissions to the local profile?   When
you move someone from a local to a domain user account you need to make sure
the profile permissions are updated.  There is a Microsoft tool to help move
a cache in these cases.  

- Assuming he is a domain user, is he unable to login  on other computers by
design?  

- Is this a desktop or a laptop?  





-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Michael B. Trausch
Sent: Saturday, June 02, 2012 3:37 PM
To: samba at lists.samba.org
Subject: [Samba] User can only login as admin, group policy fails the logon
otherwise

I have a Samba 3.5 server that services seven Windows 7 computers.  When the
setup was originally installed, all workstations were independent systems
and so all users had local administrative privilege.  I have removed admin
rights from all users but one.  This user has a problem.
We'll call the user 'dmc' though that isn't his real username.

In any event, dmc is a member of the local Administrators group on his
assigned workstation.  I've tried a few times in the past to remove his
admin rights, but when I do so, he is unable to login with an error about
Group Policy failing the logon, access is denied.  If I restore the admin
rights, the user can logon successfully.

The user cannot logon to any other workstation on the network.

I did not encounter this problem with any other user, so this is definitely
unique to dmc.

According to everything that I can find via Google, the generally accepted
solution is to delete the user's cached version of his roaming profile and
then delete his profile on the server.  I can't accept this, as this would
mean that the user would virtually have to start from scratch.  We are using
folder redirection, so some information would be relatively easily retained,
but the problem is that I'd like to find some way to figure out what's going
on and to fix it.

I realize that this may not exactly be a Samba question:  I am 99% certain
that the problem is caused by something in the user's NTUSER.DAT file stored
within his roaming profile that the Group Policy Client does not like.  The
problem that I am having is that I don't know how to determine what that is.
The user's hive is large and therefore impractical to go through by hand
without some notion of what to look for.

Can anyone offer any suggestions other than deleting the user's profile and
effectively starting from scratch?  Would anything in the Control Panel key
in the user's NTUSER.DAT cause this?  Is there some way to configure either
Windows or Samba to log any additional information that can help me narrow
down the problem so that I am able to at least identify the cause?  If I can
just find the cause, I'm confident that I can fix it without blowing the
user's profile away entirely.

Also, there are no customizations to group policy on any of the workstations
in this domain.

	Much appreciated,
	Michael Trausch

--
Michael B. Trausch
President, Naunet Corporation

Web:   https://www.naunetcorp.com/
Phone: +1-(470)-201-5738

More information about the samba mailing list