Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Roaming Profile Security 2

Status
Not open for further replies.
gt6350a

gt6350a

Programmer
Feb 10, 2003
68
US
I set up roaming profiles on my small network. I do not want users to be able ot view other users roaming profiles. Is there a way to protect a users roaming profile from being viewed from other users?

In other words...John logs on to computer 'A' and then logs off. As a result his roaming profile is sotred onthe computer. Now, Lucy logs on to computer 'A'. She can now access his folders stored on computer 'A'. I want to eliminate Lucy from seeing John's files. How can this be done?

Also, how can I erase a roaming profile form a computer with out erasing the information stored onthe users main computer?

Thanks SO much for your time in advance!
 
Sort by date Sort by votes
Gt6350a,

When you institute roaming profiles, each individuals 'Profiles folder' will automatically be set up by Windows with Full Control for the individual and Full Control for the System. No one else will have any permissions to the contents of the folder.

"Also, how can I erase a roaming profile form a computer with out erasing the information stored on the users main computer"?

I'm not quite sure what you are asking here, can you please calrify.

Patty [ponytails2]

 
Upvote 0 Downvote
Your talking apples and oranges. A roaming profile stores the profile on a server. Thus allowing a user the ability to visit each machine and have there same profile availabe. That folder is secured to the owners creator.

You are talking about local profiles. By default a user can't access another users profile folder. That folder is secured to the owners creator. Make sure users store files within their profiles. Like My Docs and such and not to the root hd.

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
Ah sorry Patty. Posted at same time.

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
I think there is a misunderstanding.

Let me explain (hopefully) a little better.

Theoretically, I agree with what you both have said however the situation still remins true. When user 'A' logs into a computer and then logs out and then user 'B' logs in. User 'B' is still able to see the locally stored version of user 'A' roaming profile. How can I prevent this from happening? Is there a setting?

Try it. Log into a computer that you have not logged into beofre. Then, log out. Then log in as someone else. Now try to access your profile using the otehr persons log in name. It should work. If it doesn't, what settings do you have implemented that prevents you from seeing the contents of that file?

Thanks!

 
Upvote 0 Downvote
Tried it. Says Access denied. We (I assume Patty is to) are using the default settings. What are you reffering to when you say "User 'B' is still able to see the locally stored version of user 'A' roaming profile"? You mean user A's desktop? Because if it is a true Roaming profile, the profile is stored on a server, therefore making it roaming. The local profile or cached profile resides in Docs and Settings and is creator specific. It is governed by the regisrty which subsequenty establishes the security. Yes the folder is visible but not accessible.

What OS are you using?

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
I am using 2000 and XP. NTFS on XP and FAT32 on 2000. I am about to convert 2000 to NTFS to see if problem still exists but on XP it exists for sure.

To answrr your question, yes I mean user 'B' can see user A's desktop, favorites, my documents folder, etc...

How are you saving the roaming profile on your server? what directory is it being sent to? What security settings if any?

The cashed profile is very much visible.
 
Upvote 0 Downvote
It is because you are using FAT32 and not NTFS. FAT32 doesn't allow for granular security. FAT32 only allows for share level security. NTFS will allow the security you are looking for, so yes convert it to NTFS. Remove the profiles and have the users log in again. The security should then be set.

To create a roaming profile:

1 create a share on a server call it Profiles (or whatever)
2 in the users profile specify a profile path to that share. Use the \\servername\profile\%username% to direct the profile to the share on the server.
3 have your users login. The profile will be stored on the server.
4 That being said, a cached profile will remain on the workstation. If NTFS is configured that profile will be secured.

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
that doesn't explain why it does not work on my XP machine.... i am still in the process of reformatting my drive....i'll up date you.....thnx...pls stay tuned.
 
Upvote 0 Downvote

Everything that Hewissa has said is true. If user A and user B are simple domain users with no other group affiliations or extended permissions, then they should not be able to open another users profile folder.

Also, you don't have to re-format a drive in order to convert it to the NTFS file system. Simply open a command prompt and type the following,

Convert driveletter: /fs:ntfs

Keep us posted,

Patty [ponytails2]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
92
amanua
amanua
wmin3
  • Locked
  • Question
Roaming Profiles not moving to new Windows Server 2012
Replies
0
Views
72
wmin3
wmin3
paramjotsingh
  • Locked
  • Question
Corrupt User Profile
Replies
1
Views
71
2ffat
2ffat
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2012.
Replies
0
Views
54
Bigbadjoe
Bigbadjoe
Bigbadjoe
  • Locked
  • Question
Issue with Security sharing folder on Server 2008
Replies
1
Views
62
wtotten
wtotten

Part and Inventory Search

Sponsor

Back
Top