Default Permissions on Roaming Profiles

[Sam Zink Jr.]

I'm having trouble customizing default NTFS permissions
for a roaming profile when it is cached on a
workstation. I want want only the user and system to
have full control on the profile folders created on
workstations.

Microsoft Knowledge Base Article - 222043 refers to
roaming profile permissions: "When a roaming profile is
written for the first time, permissions for the created
folder (\\Server\Profile\Username) are System and
Username full control." But this only seems to apply to
the folder on the server, not permissions on the cached
profile on the workstation.

On the workstation, the local administrators group also
has full control of all user profile folders. When a new
user logs on for the first time, how can I get the cached
profile to be set up with only user and system full
control?

 

[Buz [MSFT]]

Hello Sam,

Consider where the local profiles are stored. The default is too inherit
from the parent directory and whoever is creating the profile (local logged
in user) will be owner and have full control.

1. You can modify the permissions on the parent directory (be careful).
2. You can implement the policy to delete locally cached profiles at log
off.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.