User Profile - Folder permissions

[Guest]

Hello,

I don't know if this is the correct message group but we seem to have a
problem with the roaming profiles security settings that we use. It isn't
happening to everybody and it isn't happening at one particular site.

The 'User Profiles' that are stored on the DC's seem to be losing their
security settings for no apparent reason. When an Administrator tries to
access the User's Profile to correct the problem, even they get a 'U don't
have permission to view this folder' as no one has access to the folder. The
Administrator then has to give ownership to the administrator group and
re-add the correct users in the folder permissions. THis fixes the problem,
however, I need to find out why it is happening in the first place.

Any suggestions would be much appreciated.

Thanks.

 

[Roger Abell]

You indicate that no one has access to the folders.
Are you sure that the folders are not granted to their respective
accounts with Full Control, but granted to no other accounts,
including Adminsitrators? Such is a fairly common way for
these to be configured in order to support privacy requirements.
Anyway, there is a group policy setting in the Computer branch
of policies, in the System Administrative templates. Look under
Logon for Add the Administrators group to roaming profiles

 

[Guest]

I am sure that the folder is granted to the respective owners but it is them
who phone in when they get the login error. When the administrator then
tries to have a look, they get the same error that they don't have
permissions to access the folder. This is happening for existing users, so
the users have been able to log on previously.

I don't understand it either but will have a look at your suggestion. I was
wondering whether the roaming profile conflicted with a local/other profile
upon login and the security settings got wiped or something. What else could
clear out the folder security settings?

 

[Roger Abell]

First, from what you have said so far nothing justifies the
statement that something "clears out the folder security
settings". In fact, you are saying that you are sure the
account does have access (but you did not clearly state
what the grant is).

That admins get denied is, or should, be due to absence of
a different grant (to Administrators), than what is involved
for the owning account.

The roaming profile, when copied down, should not be
in conflict with any profile already existing on the local
machine - the system will get inventive with the folder
name to avoid this.

So, to disambiguate cases, if a non-admin account with
a roaming profile defined logs into a client machine to
which it has never logged in, is there a problem? That
is, does this happen only for accounts on some machines,
and those are account that have been used before on those
machines ?

Are the accounts named as the Owners of their profiles
and granted Full control on them ? I realize you said the
profiles are granted to the respective accounts, but you
did not say this that is asked.