[Samba] User can only login as admin, group policy fails the logon otherwise

Sun Jun 3 01:36:23 MDT 2012

On 6/2/2012 12:37 PM, Michael B. Trausch wrote:
> I have a Samba 3.5 server that services seven Windows 7 computers.  When
> the setup was originally installed, all workstations were independent
> systems and so all users had local administrative privilege.  I have
> removed admin rights from all users but one.  This user has a problem.
> We'll call the user 'dmc' though that isn't his real username.
>
> In any event, dmc is a member of the local Administrators group on his
> assigned workstation.  I've tried a few times in the past to remove his
> admin rights, but when I do so, he is unable to login with an error
> about Group Policy failing the logon, access is denied.  If I restore
> the admin rights, the user can logon successfully.
>
> The user cannot logon to any other workstation on the network.
>
> I did not encounter this problem with any other user, so this is
> definitely unique to dmc.
>
> According to everything that I can find via Google, the generally
> accepted solution is to delete the user's cached version of his roaming
> profile and then delete his profile on the server.  I can't accept this,
> as this would mean that the user would virtually have to start from
> scratch.  We are using folder redirection, so some information would be
> relatively easily retained, but the problem is that I'd like to find
> some way to figure out what's going on and to fix it.
>
> I realize that this may not exactly be a Samba question:  I am 99%
> certain that the problem is caused by something in the user's NTUSER.DAT
> file stored within his roaming profile that the Group Policy Client does
> not like.  The problem that I am having is that I don't know how to
> determine what that is.  The user's hive is large and therefore
> impractical to go through by hand without some notion of what to look for.
>
> Can anyone offer any suggestions other than deleting the user's profile
> and effectively starting from scratch?  Would anything in the Control
> Panel key in the user's NTUSER.DAT cause this?  Is there some way to
> configure either Windows or Samba to log any additional information that
> can help me narrow down the problem so that I am able to at least
> identify the cause?  If I can just find the cause, I'm confident that I
> can fix it without blowing the user's profile away entirely.
>
> Also, there are no customizations to group policy on any of the
> workstations in this domain.
>
> 	Much appreciated,
> 	Michael Trausch
>
>
>
>

You can rename his profile folder, that way windows thinks it is gone 
and recreates it. after it is recreated you have to go through and copy 
his files from his "backup" profile to his new one. Also coping select 
folders from appdata\roaming and appdata\local will restore program 
settings.