Re: server 2003 profiles directory permission
From: andy smart (anonymous_at_discussions.microsoft.com)
Date: 10/27/05
- Next message: tejpal: "Re: Outlook update?"
- Previous message: N. Miller: "Re: how do I identify where a port address is coming from"
- In reply to: Byron Hynes [MS]: "Re: server 2003 profiles directory permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Oct 2005 10:00:24 +0100
Thanks, a follow up question Byron, if I may?
At which level of GPO does one implement this solution? The Domain
Controllers OU or the Default Domain Policy?
best wishes
andy
Byron Hynes [MS] wrote:
> Investigate the use of this group policy setting:
>
> 1. Solution #1 (For new profiles being created)
>
> Computer Configuration > Administrative Templates > System > User Profiles
>
>> Add the Administrators security group to roaming user profiles
>
>
> This setting adds the Administrator security group to the roaming user
> profile share.
>
> Once an administrator has configured a users' roaming profile, the
> profile will be created at the user's next login. The profile is created
> at the location that is specified by the administrator.
>
> For the Windows 2000 Professional and Windows XP Professional operating
> systems, the default file permissions for the newly generated profile
> are full control, or read and write access for the user, and no file
> access for the administrators group.
>
> By configuring this setting, you can alter this behavior.
>
> If you enable this setting, the administrator group is also given full
> control to the user's profile folder.
>
> If you disable or do not configure it, only the user is given full
> control of their user profile, and the administrators group has no file
> system access to this folder.
>
> (Note this happens at CREATION of the profile only, for existing
> profiles, see #2)
>
> 2. Solution #2 (For existing profiles):
>
>> They can take ownership of it but then the user loses access.
>
>
> After taking ownership, the administrator should adjust the ACL so that
> the user and the required administrators both have access. If the
> administrator does not know how to do this, they should not be an
> administrator until they get some training.
>
> 3. An added bonus
>
> Make sure that users are aware that there is no expectaion of privacy.
>
>
> Byron Hynes
> Windows Server
> Microsoft Corporation
>
> http://spaces.msn.com/members/byronphynes
>
>> Hi
>>
>> We are having serious grief with our user profiles. We want to achive
>> the following:
>> user can both access their roaming profile and have changes written
>> back
>> administrators can access all roamin profiles stored on server
>> script run as a scheduled task can replace the desktop folder (its
>> just
>> something we need to do!)
>> (ideally we'd like the administrators group to continue to own the
>> profile)
>>
>> What seems to be happening is that the profile is being created
>> allright, but administrators do not have access to it once created.
>> They can take ownership of it but then the user loses access.
>>
>
>
- Next message: tejpal: "Re: Outlook update?"
- Previous message: N. Miller: "Re: how do I identify where a port address is coming from"
- In reply to: Byron Hynes [MS]: "Re: server 2003 profiles directory permission"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
