[gptalk] Re: Roaming Profile

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 21:07:18 -0800

Omar-

Not sure I follow that. If the resulting perms on a profile directory grant
Administrators, the user and System full Control, how are you granting other
users or groups access to it?

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Monday, February 26, 2007 9:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Roaming Profile

 

Dinh and Darren,

 

I actually have this working and the setting Dinh was referencing did the
trick but you to have the other things in place to make it work:

 

1. on the user object set the roaming profile location on the terminal
server profile tab and not on the profile tab and set it to
<file:///\\server\share\%25username%25\> \\server\share\%username%\

 

Do not precreate the profile folders let the user logon/logoff process
create it.

 

2. At the server create a folder and share it as follows: NTFS- server
admins-Full Control, Domain Admins- Full Control, Everyone- Modify. Share
permissions Same as NTFS permissions. If you like- share the folder as
TSUsers$ to hide it from regular browsing view.

 

3. Create an OU and stick your terminal servers right in it.

 

4. Create a GPO


Computer/admin Templates/System/User Profiles

Add the Administrators security group to roaming user profiles "Enabled "
Wait for remote user profile "Enabled" 

 

5. Link the GPO to the terminal server OU

 

When the profile gets created it has 3 access control entries:
Server\Administrators- Full, Domain\User-Full and System-Full.

 

Even though if users knew about the share they could create and post data
all day long but hiding the share helps with that and once the folder is
created by the roaming profile process the permissions restrict anyone else
from accessing that folder data.

 

Omar

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Mon 2/26/2007 8:36 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Roaming Profile

Dinh

The only way you can do this is by adding that Group to each profile after
its created using something like cacls.exe. I don't believe that you can do
it at the top level profiles share because those profiles that get created
do not inherit the permissions of the parent folder, for obvious reasons.

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of DinhDuy
Sent: Monday, February 26, 2007 7:57 PM
To: GPTalk
Subject: [gptalk] Roaming Profile

 

Dear All,

Server: Windows Server 2003

Client: Windows XP SP2

 

As default, roaming profile folders do not allow anyone access them except
System and profile's owner. I want to add Group of IT to all profile folders
in order that Group of IT can control them. How can I do that?

Thanks.

P.S: I can use Add the Administrators security group to roaming user
profiles to apply to all roaming profile folders.

 

Other related posts: