[gptalk] Re: Roaming Profile

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 26 Feb 2007 21:00:25 -0800

Dinh and Darren,
I actually have this working and the setting Dinh was referencing did the trick 
but you to have the other things in place to make it work:
1. on the user object set the roaming profile location on the terminal server 
profile tab and not on the profile tab and set it to \\server\share\%username%\ 
Do not precreate the profile folders let the user logon/logoff process create 
2. At the server create a folder and share it as follows: NTFS- server 
admins-Full Control, Domain Admins- Full Control, Everyone- Modify. Share 
permissions Same as NTFS permissions. If you like- share the folder as TSUsers$ 
to hide it from regular browsing view.
3. Create an OU and stick your terminal servers right in it.
4. Create a GPO

Computer/admin Templates/System/User Profiles
Add the Administrators security group to roaming user profiles "Enabled "
Wait for remote user profile "Enabled" 
5. Link the GPO to the terminal server OU
When the profile gets created it has 3 access control entries: 
Server\Administrators- Full, Domain\User-Full and System-Full.
Even though if users knew about the share they could create and post data all 
day long but hiding the share helps with that and once the folder is created by 
the roaming profile process the permissions restrict anyone else from accessing 
that folder data.


From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Darren Mar-Elia
Sent: Mon 2/26/2007 8:36 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Roaming Profile


The only way you can do this is by adding that Group to each profile after its 
created using something like cacls.exe. I don't believe that you can do it at 
the top level profiles share because those profiles that get created do not 
inherit the permissions of the parent folder, for obvious reasons.




From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of DinhDuy
Sent: Monday, February 26, 2007 7:57 PM
To: GPTalk
Subject: [gptalk] Roaming Profile


Dear All,

Server: Windows Server 2003

Client: Windows XP SP2


As default, roaming profile folders do not allow anyone access them except 
System and profile's owner. I want to add Group of IT to all profile folders in 
order that Group of IT can control them. How can I do that?


P.S: I can use Add the Administrators security group to roaming user profiles 
to apply to all roaming profile folders.


Other related posts: