[gptalk] Re: Roaming Profile
- From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Tue, 27 Feb 2007 09:41:03 -0800
maybe I should have read Dinh email more closely.
The only way this scenario would work for Dinh is to add his IT group to the
local server administrator group on the file server that will store the roaming
profile directories.
My apologies for the Mix-up.
Omar
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Mon 2/26/2007 9:07 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Roaming Profile
Omar-
Not sure I follow that. If the resulting perms on a profile directory grant
Administrators, the user and System full Control, how are you granting other
users or groups access to it?
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Omar Droubi
Sent: Monday, February 26, 2007 9:00 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Roaming Profile
Dinh and Darren,
I actually have this working and the setting Dinh was referencing did the trick
but you to have the other things in place to make it work:
1. on the user object set the roaming profile location on the terminal server
profile tab and not on the profile tab and set it to \\server\share\%username%\
<file://server/share/%25username%25/>
Do not precreate the profile folders let the user logon/logoff process create
it.
2. At the server create a folder and share it as follows: NTFS- server
admins-Full Control, Domain Admins- Full Control, Everyone- Modify. Share
permissions Same as NTFS permissions. If you like- share the folder as TSUsers$
to hide it from regular browsing view.
3. Create an OU and stick your terminal servers right in it.
4. Create a GPO
Computer/admin Templates/System/User Profiles
Add the Administrators security group to roaming user profiles "Enabled "
Wait for remote user profile "Enabled"
5. Link the GPO to the terminal server OU
When the profile gets created it has 3 access control entries:
Server\Administrators- Full, Domain\User-Full and System-Full.
Even though if users knew about the share they could create and post data all
day long but hiding the share helps with that and once the folder is created by
the roaming profile process the permissions restrict anyone else from accessing
that folder data.
Omar
________________________________
From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Mon 2/26/2007 8:36 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Roaming Profile
Dinh
The only way you can do this is by adding that Group to each profile after its
created using something like cacls.exe. I don't believe that you can do it at
the top level profiles share because those profiles that get created do not
inherit the permissions of the parent folder, for obvious reasons.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of DinhDuy
Sent: Monday, February 26, 2007 7:57 PM
To: GPTalk
Subject: [gptalk] Roaming Profile
Dear All,
Server: Windows Server 2003
Client: Windows XP SP2
As default, roaming profile folders do not allow anyone access them except
System and profile's owner. I want to add Group of IT to all profile folders in
order that Group of IT can control them. How can I do that?
Thanks.
P.S: I can use Add the Administrators security group to roaming user profiles
to apply to all roaming profile folders.
Other related posts:
