Microsoft KB Archive/222043

= Roaming Profile Folders Do Not Allow Administrative Access =

Article ID: 222043

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q222043



SYMPTOMS
When a roaming profile is written for the first time, permissions for the created folder (\\ \Profile\ ) that contains the roaming profile are set as follows:

System: Full Control



Therefore, administrators do not have control of this area.



CAUSE
In Microsoft Windows NT 4.0, when the Administrators group is listed for the parent folder of the new user profile folder, this permission is inherited by the folder and files for the new user profile. In Windows 2000, this permission is applied to System and the user only, without inheritance from the parent.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix should have the following file attributes or later:   Date        Time    Version        Size     File name ---  07/26/2000  09:36a                 738,586  System.adm 01/19/2001 05:57a  5.0.2195.2780  370,448  Userenv.dll

You must apply this hotfix to all domain controllers and clients. The hotfix adds a new "Add the Administrators security group to roaming user profiles" policy that must be applied by using Group Policy. To enable this new policy:
 * 1) Start Microsoft Management Console (MMC). On the Console menu, click Add/Remove Snap-in.
 * 2) Add the Group Policy snap-in for the default domain policy. To do so, click Browse when you are prompted to select a Group Policy object (GPO). The default GPO is "Local Computer." Click Browse, and then click Default Domain Policy. You can also add GPOs for other domain partitions (specifically, organizational units).
 * 3) Double-click the following items to open them: Computer Configuration, Administrative Templates, System, and Logon.
 * 4) Click to select the Add the Administrators security group to roaming user profiles check box.
 * 5) Click either Enable or Disable to enable or disable the new policy.



WORKAROUND
To work around this behavior, create the user profile folder ahead of time with the appropriate permissions.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 2.



MORE INFORMATION
The default location of the System.adm file for a default domain policy is:

%SystemRoot%\Sysvol\Sysvol\ \Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm\System.adm

The contents of these folders are replicated throughout a domain by the File Replication service (FRS). Note that the Adm folder is not populated until the default domain policy is loaded for the first time.

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

NOTE: Changes to a group policy object are not immediately imposed upon the target systems. To update this policy on the client, run the following command on the client:

Secedit /RefreshPolicy Machine_Policy /Enforce

For additional information about how this operates, please see the following article in the Microsoft Knowledge Base:

227302 Using SECEDIT to Force a Group Policy Refresh Immediately

Additional query words: FRS NTFRS backup restore security manage

Keywords: kbhotfixserver kbqfe kbbug kbfix kbwin2000presp2fix KB222043

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.