server 2003 profiles directory permission

server 2003 profiles directory permission
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
server 2003 profiles directory permission andy smart 10-26-2005
Posted by andy smart on October 26, 2005, 9:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi

We are having serious grief with our user profiles. We want to achive
the following:
user can both access their roaming profile and have changes written back
administrators can access all roamin profiles stored on server
script run as a scheduled task can replace the desktop folder (its just
something we need to do!)

(ideally we'd like the administrators group to continue to own the profile)

What seems to be happening is that the profile is being created
allright, but administrators do not have access to it once created. They
can take ownership of it but then the user loses access.

Posted by Arek Iskra [MVP] on October 26, 2005, 11:03 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Hi
>
> We are having serious grief with our user profiles. We want to achive
> the following:
> user can both access their roaming profile and have changes written back
> administrators can access all roamin profiles stored on server
> script run as a scheduled task can replace the desktop folder (its just
> something we need to do!)
>
> (ideally we'd like the administrators group to continue to own the
> profile)
>
> What seems to be happening is that the profile is being created
> allright, but administrators do not have access to it once created. They
> can take ownership of it but then the user loses access.


How about assigning Administrators Full Control to root folder (the one
holding all profiles), leaving default folder inheritance intact (checked)
and giving Creator Owner group Full Control or Modify?

--
Arek Iskra
MVP for Windows Server - Software Distribution



Posted by Byron Hynes [MS] on October 26, 2005, 12:26 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Investigate the use of this group policy setting:

1. Solution #1 (For new profiles being created)

Computer Configuration > Administrative Templates > System > User Profiles
> Add the Administrators security group to roaming user profiles

This setting adds the Administrator security group to the roaming user profile
share.

Once an administrator has configured a users' roaming profile, the profile
will be created at the user's next login. The profile is created at the location
that is specified by the administrator.

For the Windows 2000 Professional and Windows XP Professional operating systems,
the default file permissions for the newly generated profile are full control,
or read and write access for the user, and no file access for the administrators
group.

By configuring this setting, you can alter this behavior.

If you enable this setting, the administrator group is also given full control
to the user's profile folder.

If you disable or do not configure it, only the user is given full control
of their user profile, and the administrators group has no file system access
to this folder.

(Note this happens at CREATION of the profile only, for existing profiles,
see #2)

2. Solution #2 (For existing profiles):

> They can take ownership of it but then the user loses access.

After taking ownership, the administrator should adjust the ACL so that the
user and the required administrators both have access. If the administrator
does not know how to do this, they should not be an administrator until they
get some training.

3. An added bonus

Make sure that users are aware that there is no expectaion of privacy.


Byron Hynes
Windows Server
Microsoft Corporation

http://spaces.msn.com/members/byronphynes

> Hi
>
> We are having serious grief with our user profiles. We want to achive
> the following:
> user can both access their roaming profile and have changes written
> back
> administrators can access all roamin profiles stored on server
> script run as a scheduled task can replace the desktop folder (its
> just
> something we need to do!)
> (ideally we'd like the administrators group to continue to own the
> profile)
>
> What seems to be happening is that the profile is being created
> allright, but administrators do not have access to it once created.
> They can take ownership of it but then the user loses access.
>



Similar ThreadsPosted
Directory permission special September 17, 2007, 2:24 pm
Partial Profiles Created on a file server September 29, 2006, 5:06 pm
Windows 2003 user Directory Security October 5, 2005, 8:23 pm
Windows 2003 user Directory Security October 5, 2005, 8:24 pm
Need help on Active directory server August 12, 2005, 6:29 am
Permission to Copy Files to Server Folder But Not Edit Them July 1, 2006, 9:26 pm
Do not have permission to view or edit permission settings for a folder June 17, 2005, 7:58 am
Can not use UNC path in Windows server 2003 server 64 bit OS September 30, 2005, 4:19 pm
Re: There is a serious problem within Server 2003 SP1. July 17, 2005, 12:25 am
RE: WIndows Server 2003 July 29, 2005, 12:16 am

The site map in XML format XML site map

Contact Us | Privacy Policy