Help needed in creating roaming Profiles in AD

S

Steve

Hi
I have set the user profiles in AD so that the users are
mapped with a home directory as well as a roaming profile. The roaming
profiles are mapped to a shared folder called Profiles on a member
server.

The Profiles folder share is called Profiles$ and has only the Domain
Users group with Change and Read share rights. The Domain Admin group
has Full share rights.

On the security tab of the Profiles share there is no inherit from
parent rights. The Domain Admin group has Full Control and the Domain
Users has all other rights but not Full control.

When I log in as a Domain user all seems OK.

But when I try to access the profile folder of a Domain user and as
Domain Administrator I get access denied even though the user has been
logged off.

I am trying to create a secure environment but I am unsure as to
whether this is due to rights or just a feature of Win2K as I would
like to enable access for Domain Admins to modify or even delete the
Domain Users profile in the event of problems which I was able to do
when using NT4.

Thanks

Steve
 
G

Guest

I think for your share permission of profiles$ you can retain it as Everyone
Full Control. For a specific user profile folder, you can set the NTFS
permission with that user Full Control. For admins, you can set all
permissions as Full Control as well.

BR,
Denis
 
L

Lanwench [MVP - Exchange]

Steve said:
Hi
I have set the user profiles in AD so that the users are
mapped with a home directory as well as a roaming profile. The roaming
profiles are mapped to a shared folder called Profiles on a member
server.

The Profiles folder share is called Profiles$ and has only the Domain
Users group with Change and Read share rights. The Domain Admin group
has Full share rights.

On the security tab of the Profiles share there is no inherit from
parent rights. The Domain Admin group has Full Control and the Domain
Users has all other rights but not Full control.
Click to expand...

I always set up the parent profiles folder with domain users=full control as
well. Good that you're using a hidden share, BTW.
When I log in as a Domain user all seems OK.

But when I try to access the profile folder of a Domain user and as
Domain Administrator I get access denied even though the user has been
logged off.
Click to expand...

Normal behavior - things have changed since NT4. See
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q268019&
I am trying to create a secure environment but I am unsure as to
whether this is due to rights or just a feature of Win2K as I would
like to enable access for Domain Admins to modify or even delete the
Domain Users profile in the event of problems which I was able to do
when using NT4.
Click to expand...

You'll need to take ownership of the profiles folder/s as Administrators
(the *group*, not Administrator the user) and reset the NTFS permissions. Or
not. Up to you....depends whether you need full access to the users' profile
folders.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Roaming profile problem 2
Newbie inquiry regarding roaming profiles 1
Delete Cached copies of Roaming Profiles 2
Roaming Profiles 4
Administrators' profiles deleted when having Guest status 3
Adding administrators group to roaming profile folder without losing current owner 3
Problem migrating local profiles to domain profiles on XP 2
roaming profiles and/or tsprofiles 1

Top