Just wondered what other admins do about problems with user profiles,
especially roaming copies on server shares.

The key issue is that the permissions on profile folders are set such that
not even the Administrator or Domain Admin accounts can see or access the
contents. Thus if there is a problem within a profile, the only action
available is to forcibly take possession of the folder, and then over-write
its permissions. Yet, doing so is the functional equivalent of 'wrecking-bar
engineering' and is likely to lead to further damage/trouble.

In these circumstances, do we just say to the user, "Sorry, but we can't
help you, as Microsoft have declared that Adminstrators are not trustworthy
enough to be allowed access to users' files" - Or... what?

Yes, it seems like a good idea to do this when setting-up a domain,
unfortunately it doesn't help when you're dealing with a problem on an
existing server, as it only applies to new accounts.

You wonder why the system was designed like this in the first place.
Commonsense dictates that there should at least be a way (other than hacking)
for an admin to delete expired and useless data. Even this is difficult as it
stands.

"scauffiel" wrote:

>
> You can set a GPO to add the administrator security group to roaming
> user profiles to enable you to work with them. Check out the
> attachment...
>
>
> S.
>
>
> +-------------------------------------------------------------------+
> |Filename: Snap1.jpg |
> |Download: http://forums.techarena.in/attachment.php?attachmentid=8621|
> +-------------------------------------------------------------------+
>
> --
> scauffiel
> ------------------------------------------------------------------------
> scauffiel's Profile: http://forums.techarena.in/members/106880.htm
> View this thread: http://forums.techarena.in/windows-security/1199574.htm
>
> http://forums.techarena.in
>
>

Anteaus <(E-Mail Removed)> wrote:
> Yes, it seems like a good idea to do this when setting-up a domain,
> unfortunately it doesn't help when you're dealing with a problem on an
> existing server, as it only applies to new accounts.
>
> You wonder why the system was designed like this in the first place.
> Commonsense dictates that there should at least be a way (other than
> hacking) for an admin to delete expired and useless data. Even this
> is difficult as it stands.

Agreed, it should be that way by default (or the gpo should also make the
changes to the existing folders).
Time for xcacls.

>
> "scauffiel" wrote:
>
>>
>> You can set a GPO to add the administrator security group to roaming
>> user profiles to enable you to work with them. Check out the
>> attachment...
>>
>>
>> S.
>>
>>
>> +-------------------------------------------------------------------+
>>> Filename: Snap1.jpg |
>>> Download:
>>> http://forums.techarena.in/attachment.php?attachmentid=8621|
>> +-------------------------------------------------------------------+
>>
>> --
>> scauffiel
>> ------------------------------------------------------------------------
>> scauffiel's Profile: http://forums.techarena.in/members/106880.htm
>> View this thread:
>> http://forums.techarena.in/windows-security/1199574.htm
>>
>> http://forums.techarena.in