The Linux Page

Windows 2000 SP4, new logon policy forced to Roaming by default.

Not too long ago, I accepted the update from Microsoft to go to MS-Windows 2000 SP4. Neat. Except that when I rebooted (I think the 2nd time, but not totally sure, my wife used the computer in between, it seems...) it could not load my profile anymore.

At first I thought that the registry got erased and I just tried a reboot after doing some setup. I had not seen the messages appear on reboot since I was working on another computer while the w2k was booting. Nope... it could not log me in because my roaming account was not properly setup. Roaming account?! This is a stand alone platform!!! Hmmm...

Well, yes! New policy without telling the users, bing, no right to log in your own usual account. But it still logged me in as an administrator. How secure is that?! Anyway...

The answer (that I still need to check to make sure) is to add a new console profile policy (don't ask me). To do that, you must start the console (ever heard of that one on Windows 2000? must be a new thing... new to me for sure!) So, use you Start menu + Run (bottom left, Run is like the second menu entry from the bottom) and enter mmc in the text field and hit Run. Not too sure what mmc stands for, 'c' is probably for Console. The first 'm' may be Microsoft... Anyway, I'm getting distracted here.

Once the console is open, it is likely to be empty since you never had to deal with that crap ever before (yeah, I know). So, go to Console menu at the top left of that window and select Add/Remove Snap-in ... (Ctrl-M). This opens a new window. It should come up with the Standalone tab selected and the Console Root in the drop down. Below is an empty list and a set of buttons. Click on the Add... button. A new window with a list of policies appears. Scroll until you see Group Policy. Click on that and then Add. This opens a new window (yep, you've got a stack of 4 plus my page here... he! he!) That last window should say "Local Computer". Without any roaming whatever, just click on Finish. (i.e. Local Computer means Standalone).

Okay! Now you see a new entry in the Add/Remove Snap-in window. The Add widnow is still open, Close it, then close the Add/Remove Snap-in window too by clicking OK. The MDI Console window shows the new entry! Yeah! The name is Local Computer Policy. Open it up, it shows you a bunch of things...

So... open it like this:

+  Local Computer Policy
   +  Computer Configuration
    +  Administrative Templates
      +  System
        +  Logon

Then click on Logon so it is selected (dark blue). At that point a list of entries appear on the right side. Scroll if necessary until you see Do not check for user ownship of Roaming Profile Folders.

Click on that entry with your right mouse button and select Properties. Then select Enabled in that window and click OK1.

And now I have to test that it actually does work!

Okay... so, first try did not work because I used Disabled instead of Enabled. However, it will ask you to save the changes. You can save them in the default location that it gives you (i.e. TEMP folder) and it will save properly. For your information, the files are under C:\WINNT\system32 and the file you want to open is called gpedit. It would make more sense to me to open one of those files, rather than use the Snap-In feature. Much less confusing!

Information found on the following pages:

http://support.microsoft.com/kb/327462
http://support.microsoft.com/kb/307882

Sample of the Console when opened with the Logon open and the Do not check for user ownership of Roaming Profile Folders

  • 1. Note that the selection is negative. It makes sense, but it is definitively confusing.