Terminal Server Profile Default Permissions

B

Barrett Wendt

Hi all -

We have setup a share for terminal service profiles and
when a new logs in it creates a directory for them based
on the AD settings.

example
\\servername\tsprofiles\%username%

The directory gets created properly but the only people
that have permissions are the system account and the user
account. We have the permissions set on the folder to
inherit permissions from the parent but this isn't
happening. Looking for a way to automate adding at least
the local administrators group to any new profile folder
created in this share. What am I missing? This works
correctly for the standard users profile, just not for the
terminal server profile.

Thanks in advance....
 
I

IBTerry [MSFT]

There is a policy that may help called "Add the administrators security
group to roaming user profiles."

This setting adds the Administrator security group to the roaming user
profile share.

Once an administrator has configured a users' roaming profile, the profile
will be created at the user's next login. The profile is created at the
location that is specified by the administrator.

For Windows 2000 and Windows XP operating systems, the default file
permissions for the newly generated profile are full control, or read and
write access for the user, and no file access for the administrators group.

By configuring this setting, you can alter this behavior.

If you enable this setting, the administrator group is also given full
control to the user's profile folder.

If you disable or do not configure it, only the user is given full control
of their user profile, and the administrators group has no file system
access to this folder.

Note: If the setting is enabled after the profile is created, the setting
has no effect.

Note: The setting must be configured on the client computer, not the
server, for it to have any effect, because the client computer sets the
file share permissions for the roaming profile at creation time.

Note: In the default case, administrators have no file access to the user's
profile, but they may still take ownership of this folder to grant
themselves file permissions.

Note: The behavior when this setting is enabled is exactly the same
behavior as in Windows NT 4.0.

If you don't want to do this you can manually create your user folders w.
out using %username%. %username% resricts access to the user.

IBTerry [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

My Terminal Services Profile won't load. 1
roaming profile GP solution? 1
Windows 2000 share security 3
roaming profiles permissiosn 1
Security Permissions Differences: TS Roaming Profiles vs TS User Home Directory 9
Roaming profiles not saving to server 1
Terminal Servers Profile 1
Taking Ownership of Roaming Profile Folders 5

Top