Previously in this mini series, in my previous posts (part 1, part2) the question was asked – What are the likely dangers if all of the users were in the domain admins group and what pitfalls could occur if the users were removed from this group.
The answer? The users profiles would get deleted when they logged out of their machine! A very unexpected result but as mentioned in part 2, the previous administrators decided to add everybody to all of the domain usergroups to ensure that everybody could do anything on the network and so the network administrators would not be bothered with user permission requests. Unfortunately, adding everyone to every group includes the Domain Guests group. It is a VERY little known fact, that if you are a member of Domain guests, your profile is deleted when you log off the network – after all, you are a guest in the domain so why keep your settings? The saving grace for the previous company was that if you are also a member of Domain Admins, your profile is not deleted. See Microsft KB Article 165398 for documentation on this fact.
By removing Domain Admins from the users group, the users were now part of Domain Guests and as they logged off the network, their profile was deleted. This includes all files in My Documents, their archived email, desktop icons and the current work they were using (stored on their desktop) as all these files were stored in the default location, c:\documents and settings – on the desktop machine, in their profile.
Once it was discovered that the profiles were getting deleted after logging off, everyone was told not to log off whilst I did some research to find out why this was happening and the above knowledge base article was found. Everybody was removed from Domain Guests but the problem still existed for the users who were currently logged on as group membership is refreshed at logon and so everyone was still a member of Domain Guests and therefore the profile would be deleted! For the first time in my life I was actually telling people to turn off their computers at the power switch rather than logging off and shutting down their computer. By pulling the power, the logoff functions would not run, the profiles would not be deleted and the subsequent logon and logoffs would work as originally intended.
As you can imagine, the solution to this perplexing problem was very welcome after a VERY long weekend. I hope you have enjoyed this mini series. Let us know whether you would like similar series to run. What did you like/not like about the series. My goal was to make you think, impart a little known fact that might help someone else and give you an answer to Mike Mcbride’s question – What did you learn this week?