Administrators' profiles deleted when having Guest status

Posted: 12-10-2008, 05:20 PM
Our solution for preventing users from leaving behind profiles on lab
machines has been to add the Domain Users group to the Guests group on those
machines. As long as a user was a member of the Administrators group on the
machine, that user's profile would not be deleted.

I just discovered that with Vista, even Adminstrators' profiles are deleted
in this scenario (of course I mean users with admin rights who are Domain
Users). This happens even if the admin user's profile existed before adding
Domain Users to the Guest group.

I don't know of a Group Policy setting that will delete user profiles, other
than for roaming ones. Can anyone think of a solution for this?

(Fortunately Vista has volume shadow copies of everything by default, so I
was able to restore the important files from my profile after it was deleted!)

Administrators' profiles deleted when having Guest status


Responses to "Administrators' profiles deleted when having Guest status"

Tim Quan [MSFT]
Guest
Posts: n/a
 
RE: Administrators' profiles deleted when having Guest status
Posted: 12-11-2008, 10:11 AM
Hi,

Thank you for posting.

I have tested this issue on my Windows Vista machine and I can reproduce
this issue:

If an domain user belongs to both Domain Guests group and a client's local
Administrators group, when logging on this user account on the client, a
temporarily user profile is created. When logging off this account, this
user profile will be deleted.

It is not recommended to add Domain Users group to (Domain) Guests group.

Now if you would like to prevent users from leaving behind profiles on
clients while preserve administrator profiles, you can use the following
method:

1. For non- clients' administrator domain users, add them to Domain Guests
group. When logging on them on clients, only temporarily profiles will be
created

2. For clients' administrator domain users, add them to clients' local
Administrators group. When logging on them on clients, permanent profiles
will be created.

If anything in my e-mail is unclear or you need further help, don't
hesitate to let me know.

Sincerely,
Tim Quan
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Baboon
Guest
Posts: n/a
 
RE: Administrators' profiles deleted when having Guest status
Posted: 12-11-2008, 07:30 PM
Thanks for the quick and clear reponse.

That solution would not work, as we have potentially 10,000 domain users who
would use those machines. If I could put all of the non admin users into a
group that is exactly what I would have done, but there are just too many.

""Tim Quan [MSFT]"" wrote:
> Hi,
>
> Thank you for posting.
>
> I have tested this issue on my Windows Vista machine and I can reproduce
> this issue:
>
> If an domain user belongs to both Domain Guests group and a client's local
> Administrators group, when logging on this user account on the client, a
> temporarily user profile is created. When logging off this account, this
> user profile will be deleted.
>
> It is not recommended to add Domain Users group to (Domain) Guests group.
>
> Now if you would like to prevent users from leaving behind profiles on
> clients while preserve administrator profiles, you can use the following
> method:
>
> 1. For non- clients' administrator domain users, add them to Domain Guests
> group. When logging on them on clients, only temporarily profiles will be
> created
>
> 2. For clients' administrator domain users, add them to clients' local
> Administrators group. When logging on them on clients, permanent profiles
> will be created.
>
> If anything in my e-mail is unclear or you need further help, don't
> hesitate to let me know.
>
> Sincerely,
> Tim Quan
> Microsoft Online Community Support
>
> ==================================================
> Get notification to my posts through email? Please refer to
> http://msdn.microsoft.com/subscripti...ult.aspx#notif
> ications.
>
> With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
> to the limited number of phone-based technical support incidents. Complex
> issues or server-down situations are not recommended for the newsgroups.
> Issues of this nature are best handled working with a Microsoft Support
> Engineer using one of your phone-based incidents.
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
Tim Quan [MSFT]
Guest
Posts: n/a
 
RE: Administrators' profiles deleted when having Guest status
Posted: 12-12-2008, 08:39 AM
Hi,

Thank you for the reply.

I understand it is time-consuming. However, I am afraid that you have to do
so manually since this is the only way to resolve this issue at the current
situation .

Sincerely,
Tim Quan
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

With newsgroups, MSDN subscribers enjoy unlimited, free support as opposed
to the limited number of phone-based technical support incidents. Complex
issues or server-down situations are not recommended for the newsgroups.
Issues of this nature are best handled working with a Microsoft Support
Engineer using one of your phone-based incidents.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Local Profiles Deleted after setting policy SWilbers Windows Vista Administration 1 10-11-2007 12:54 PM
big problem, deleted administrators Mike.ONeal Windows Vista Administration 6 09-30-2007 07:51 PM
Account Profiles Deleted - Cannot remember password - Cannot hard Erik Windows XP Configuration & Management 6 02-06-2006 01:22 PM
add domain administrators into local administrators group from GPO rix Windows XP Security & Administration 0 09-26-2003 10:34 PM
User profiles are not being deleted on log out. Robin Windows XP Security & Administration 0 08-07-2003 01:02 PM