Group policy „Only allow local user profiles” – does not apply

My test environment has multiple virtual machines. Some of those machines are in a test sub-domain – it’s convenient to use my normal domain credentials to authenticate in test environment. I am also using roaming profile, and it’s inconvenient to have it all over test environment.

There is nice GPO: „Only allow local user profiles”, which prevents roaming profile creation. I’m using this GPO in server environment on primary domain and it never gave me any trouble.

From beginning of time (a least in test environment timeline) this GPO wasn’t working on test machines, roaming profiles where created… I have cursed it, but never have the time to diagnose and correct this and learned to live with the inconvenience.

Today I have finally found time to do this, and the underlying cause, as it happens, turned out to be silly. Test environment domain controller machine and application server machines where created from the same VHD template with pre-installed OS, thus having the same SID. It turned out that computer GPO defined on test environment domain controller wasn’t applied, because of the same SID.

I you happen to have similar problem use NewSID to change machine SID.

Dodaj komentarz