Adding administrators group to roaming profile folder without losing current owner

S

Sasa

I have over 200 roaming profiles on a server with Windows 2000 Server.
The point is I can't access the profiles folders even if I'm a domain
administrator. I know there is a policy 'Add the Administrator
security group to the roaming user profile share' that adds the
administrators group, but these profiles are already there and this
policy has to be activated before the profiles are created. It seems
that the only way to access these folders is to change owner but this
way I loose every previous security info about the users.

Is there a tool like subinacl or cacls (these two tools don't help)
that can save me from two years of mouse clicks?
 
D

David Brandt [MSFT]

You can also assign permissions via gpo to files etc. computer
config/windows settings/security settings/file system (you may create an
OU, drop that server in there, and set up gpo for it)
This will assign permissions to the selected files so I'd recommend testing
this out on some junk accounts first as how your folder sturcture and
inheritance etc is set up.

I'd also look at xcacls. That gives you more options/switches and I would
think do the trick for you. (reskit utility)

--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 
S

Sasa

You can also assign permissions via gpo to files etc. computer
config/windows settings/security settings/file system (you may create an
OU, drop that server in there, and set up gpo for it)
This will assign permissions to the selected files so I'd recommend testing
this out on some junk accounts first as how your folder sturcture and
inheritance etc is set up.

I'd also look at xcacls. That gives you more options/switches and I would
think do the trick for you. (reskit utility)
Click to expand...

'xcacls d:\profile\temp\*.* /T /E /G ADMINISTRATORS:F' returns ERROR:
Access denied.

I know I haven't access to this folder, but there must be a workaround
to it since i'm a domain administrator and this roaming profile was
created under my domain on the same physical machine where this domain
exists.

I don't want to become the owner of 'd:\profile\temp' as
administrator, I just want to add a permission, skipping the ownership
process.

About gpo, is the same as taking over the ownership and then changing
the permissions. The default permissions should be User:Full Control,
SYSTEM:Full Control, Administrators:Full Control, with gpo I can't add
SYSTEM since I can't select it from the list (it isn't there).
 
S

Sasa

I have just found the answer, there is no shortcut, some sort of magic
tool that does the job for you batch. If you don't have access to a
folder you have to destroy and reset every permission and security
info prior to accessing it.

I wish to myself good luck
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO Add the administrators security group to roaming user profile 4
Roaming Profile Folder Redirection Logic.. 9
Windows did not load your roaming profile error message 7
Group Policy to delete local profile? 5
Help needed in creating roaming Profiles in AD 2
Roaming Profile " Can't create a file when that file already exist" 9
GPO "add the administrators security group to roaming user profiles 2
GPO question " add the administrators group to roaming user's profilepfo 1

Top