Omar- Not sure I follow that. If the resulting perms on a profile directory grant Administrators, the user and System full Control, how are you granting other users or groups access to it? From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Omar Droubi Sent: Monday, February 26, 2007 9:00 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Roaming Profile Dinh and Darren, I actually have this working and the setting Dinh was referencing did the trick but you to have the other things in place to make it work: 1. on the user object set the roaming profile location on the terminal server profile tab and not on the profile tab and set it to <file:///\\server\share\%25username%25\> \\server\share\%username%\ Do not precreate the profile folders let the user logon/logoff process create it. 2. At the server create a folder and share it as follows: NTFS- server admins-Full Control, Domain Admins- Full Control, Everyone- Modify. Share permissions Same as NTFS permissions. If you like- share the folder as TSUsers$ to hide it from regular browsing view. 3. Create an OU and stick your terminal servers right in it. 4. Create a GPO Computer/admin Templates/System/User Profiles Add the Administrators security group to roaming user profiles "Enabled " Wait for remote user profile "Enabled" 5. Link the GPO to the terminal server OU When the profile gets created it has 3 access control entries: Server\Administrators- Full, Domain\User-Full and System-Full. Even though if users knew about the share they could create and post data all day long but hiding the share helps with that and once the folder is created by the roaming profile process the permissions restrict anyone else from accessing that folder data. Omar _____ From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia Sent: Mon 2/26/2007 8:36 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Roaming Profile Dinh The only way you can do this is by adding that Group to each profile after its created using something like cacls.exe. I don't believe that you can do it at the top level profiles share because those profiles that get created do not inherit the permissions of the parent folder, for obvious reasons. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of DinhDuy Sent: Monday, February 26, 2007 7:57 PM To: GPTalk Subject: [gptalk] Roaming Profile Dear All, Server: Windows Server 2003 Client: Windows XP SP2 As default, roaming profile folders do not allow anyone access them except System and profile's owner. I want to add Group of IT to all profile folders in order that Group of IT can control them. How can I do that? Thanks. P.S: I can use Add the Administrators security group to roaming user profiles to apply to all roaming profile folders.