I'm having problems giving a Domain Local group permissions to a mandatory user profile with Windows Server 2003 R2 SP2 and Windows XP SP3.
I've created a Global group called Sales, and put John and Mary in that group. I then created a Domain Local group called Sales Local and put the Sales group into that. I want John and Mary to use the same mandatory profile.
I logged in as Administrator and went to copy the profile to the appropriate folder \server01\profiles\sales and also assign the Domain Local group Sales Local permissions to use the profile.
I entered the appropriate path to the new profile location, and then clicked Change on Permitted to Use and selected the Sales Local Domain Local group (Note: I had to click on Object Types and check off Groups to do this).
On the server side, I renamed ntuser.dat to ntuser.man, then tried to log in as John.
The problem is that John doesn't see all of the profile. For example, he will see a text file I placed on the desktop, but he doesn't see the My Documents folder icon that I added to the desktop. Also, if you go to Desktop->Properties, you just see a black screen instead of theme selections, and if you try to add a My Documents folder to the desktop you get an error message that the visual style could not be set.
None of these problems exist if I make Sales a Global group, but I thought with A-G-DL-P, it wasn't "best practice" to give resources permissions based on a Global group. Also, why do I have to take the extra step of checking of "Groups" to give a group permissions to a profile? I saw a "howto" article that mentioned giving "BUILTIN\Users" access to the mandatory profile. That doesn't sound very secure.
What am I missing? Is this a configuration error on my part? A known limitation?
Here's a rundown of what I did:
Spun up a W2K3 R2 Std. Edition x86 SP2 VM with an Active Directory domain.
Created a "Profiles" shared folder on the server VM. Shared with "Everyone / Full Control" share permissions, and set the NTFS to "Administrators - Full Control", "SYSTEM - Full Control", and "Authenticated Users - Read and Execute - This folder only".
Created a "Sales" subfolder of that "Profiles" folder.
Created a domain local group called "Sales (Local)" and a global group called "Sales (Global)".
Created two user accounts - "John" and "Mary". Left their default "Domain Users" group membership intact and added them as members to the "Sales (Global)" group.
Logged-on to a Windows XP Professional Service Pack 3 VM as "john" and created a new local profile. Set the desktop color to red (for quick visual indication of the loading of that profile) and logged-off.
Logged-on to the WinXP machine as the domain Administrator account and used the "User Profiles" functionality in the properties of "My Computer" to copy the newly-created "john" user profile to the "Profiles" share on the server computer, granting "Sales (Local)" the "Permitted to use" permission.
Back on the server computer I modified the security of the "Sales" subfolder of the "Profiles" folder to inherit permission from the parent folder and added "Sales (Local) - Read and Execute". I re-applied that permission to all subfolders.
I renamed the "NTUSER.DAT" file in the "\Profiles\Sales" folder to "NTUSER.MAN".
I modified the properties of the "John" and "Mary" user accounts to specify a roaming user profile at "\SERVER\Profiles\Sales".
I logged-on to the Windows XP machine as "Mary" (who had never been logged-on before) and verified that I received the red desktop background. I modified the desktop background color, logged-off, logged-on again, and verified that the red desktop color persisted (meaning that the mandatory user profile was applying).
I logged-on as "John" and performed the same verification steps as with "Mary".
Everything worked as I expected by specifying "Sales (Local)" in all permissions. I'm at a loss as to tell you what might be different about what you did. What do you see that I did differently?