Roaming profiles NTFS rights

[IceBall]

When I create a roaming user and he logon for the first time and logs out a folder will be created for him. The NTFS permissions will be FC for that user and he will be the owner, the administrator is lockedout.
I dont want that! I want to have FC to as an administrator. how? I cant give myself permissons....

/viking

 

[jrbarnett]

Viking

1. Make sure the user is not logged on.
2. Logon as Administrator on the server
3. Open explorer and navigate to the folder
4. Right click the folder in Explorer, properties, security, advanced, owner tab
5. Take ownership to yourself.
6. Add the Administrators group with full control to the security.
7. Logon as user, go to home folder, right click, properties, security, advanced, take ownership. Remember to tick the "Replace owner on subcontainers and objects" tickbox on this tab.

This should do it, so you now have the Administrators group added to the user accounts with full control to the home folders. The original account holder is marked as Owner so it will count towards any disk quotas in place etc.

John

 

[IceBall]

Thanks for your help!

But there are som thing that I dont understand yet:

If I do like you say I have to do this on every user that login with a roaming profile (or?) And I have to know the users password. So this will not work in a "real", bigger network.
I want to have access to all roaming profiles on my system....
About step 6: SYSTEM need permission to (or?)

/Viking

 

[jrbarnett]

Yes, System has full control as well. However, I have to point out that my system is a test one (working towards Win2K3 MCSA) and as such I wouldn't classify anything as "normal setup".

As a responsible administrator, I wouldn't be going into people's home directories or profiles without their permission either, which means doing it from the desktop of their workstation. You are quite correct that doing this on many accounts would take a long time.
The only right that would routinely need to gain access to their files is a Backup operator account for backup and restore operations.

John

 

[Zelandakh]

To take ownership as detailed above you DON'T need the users password.

But the profile folder is for the USER and can contain "My Documents". Therefore MS sets the permissions so that only the user has access - it is by design.

 

[IceBall]

Hi John! Your right that nobody likes that an administrator going in to theres profiles and lock around but in some situations the admin maybe have to putt somting on there desktops or someting like that....
Anyway I got an answer on anouther forum that guide me to what I was looking for... so here it is:

"You should do this with a group policy.

Computer Configuration
Administrative Templates
System
User Profiles
Add the Administrators security group to roaming user profiles.
(Probably have to add the computer to the OU).

If you already created the profile. You need to take ownership of the folder/files and set the appropriate perms. So go to Security => Advanced in the profile folder. Ownership, click on administrators then click on that checkbox at the bottom (I forgot what it says exactly but something like, replace ownership on all items in this tree).

Then go back to the permissions screen and give full access to the admins group (also make you sure you click the box that says, apply to all files under this tree). AFter you do that, you probably want to go back to the ownership screen and give back ownership to the original user."

/viking

 

[IceBall]

Hi Zelandakh

You say "....as detailed above you DON'T need the users password."

I understand step 7 that John gave me that Im logon as the user and then I will need his password.... or do I understand him wrong....


/Viking