RE: User Profile Access Denied on Certain Users

From: Ken Zhao [MSFT] (v-kzhao_at_online.microsoft.com)
Date: 09/16/05 

Date: Fri, 16 Sep 2005 06:33:41 GMT

Hello,

Thank you for using newsgroup!

>From your post, in fact, some group policy objects are related to the
roaming profile security setting. You may refer to the following
configurations:

Computer Configuration\Administrative Templates\System\User Profiles\Add
the Administrators security group to roaming user profiles

This setting adds the Administrator security group to the roaming user
profile share. Once an administrator has configured a users' roaming
profile, the profile will be created at the user's next login. The profile
is created at the location that is specified by the administrator. For the
Windows 2000 Professional and Windows XP Professional operating systems,
the default file permissions for the newly generated profile are full
control, or read and write access for the user, and no file access for the
administrators group. By configuring this setting, you can alter this
behavior. If you enable this setting, the administrator group is also
given full control to the user's profile folder.

Computer Configuration\Administrative Templates\System\User Profiles\Do not
check for user ownership of Roaming Profile Folders

This setting disables the more secure default setting for the user's
roaming user profile folder. Once an administrator has configured a users'
roaming profile, the profile will be created at the user's next login. The
profile is created at the location that is specified by the administrator.
For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating
systems, the default file permissions for the newly generated profile are
full control access for the user and no file access for the administrators
group. No checks are made for the correct permissions if the profile folder
already exists. For Windows Server 2003 family, Windows 2000 Professional
SP4 and Windows XP SP1, the default behavior is to check the folder for the
correct permissions if the profile folder already exists, and not copy
files to or from the roaming folder if the permissions are not correct. By
configuring this setting, you can alter this behavior.

For more information, please refer to the following article:

Group Policy Recommendations for Roaming User Profiles: Group Policy
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/9fa19668-626c-463e-9812-fa46e85c787b.mspx>

Security Recommendations for Roaming User Profiles Shared Folders: Group
Policy
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/DepK
it/20b15453-f7c9-4cf0-9131-78924af77655.mspx>

Hope the information helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Newsgroup Web Interface Upgrade
Please complete a one-time registration process on your first visit to the
Partner Portal beginning July 11, 2005 at 9 A.M. PST by entering the secure
code mspp2005 when prompted. This secure code will be valid for 6 months
after which you will need to update your registration by entering the new
secure code. We will post announcements in the newsgroups prior to
expiration. Once you have entered the secure code mspp2005 , you will be
able to update your profile and access the the partner newsgroups. Please
update your Favorites link to the newsgroups web page, your current link
will redirect until November 1, 2005.
Please post any comment, questions or concerns to the
microsoft.private.directaccess.partnerfeedback newsgroup. For more
information, please go to:
https://partner.microsoft.com/global/technicalsupport/registeredsupport/4001
4662

--------------------
| Thread-Topic: User Profile Access Denied on Certain Users
| thread-index: AcW6DUoKOuLfvjgcQVuUG7wlFa0MTQ==
| X-WBNR-Posting-Host: 209.217.222.70
| From: "=?Utf-8?B?U211cmZtYW4=?=" <smurfman@news.postalias>
| Subject: User Profile Access Denied on Certain Users
| Date: Thu, 15 Sep 2005 08:51:08 -0700
| Lines: 23
| Message-ID: <30A73ED9-53A8-4A90-BA79-21FC6B04756F@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.win2000.security
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.security:15176
| X-Tomcat-NG: microsoft.public.win2000.security
|
| I am running into a situation where I am getting a few users that have
| roaming profiles, in which I can not access their home directory on the
| server when they are logged in, or even after they log off the network.
|
| Two things have happened that made me notice this.
|
| 1) I needed to remove a user profile from the network since I suspected
that
| it was corrupted. After the user logged of that night, I attempted to
delete
| the folder where their profile was stored. The server said Access Denied
to
| the Domain Admin. When I tried to look at the security, I was told I
could
| view the security or take ownership of the files. In order to finally
remove
| the user profile, I had to go to the domain server, take ownership of the
| files, and finally I could delete the folder.
|
| 2) The second was that I needed to manually move a favorite from one user
to
| another, again, access denied.
|
| What is causing this to suddenly happen?
|
| How can I resolve this?
|
| Thanks
| Smurfman
|

Relevant Pages

  • RE: redirected-redirected folders
    ... Jenny Are you saying that offline file sychronization should be turned off on ... folders that contain the roaming profiles are on the server where offline ... > The offline files and roaming profile indeed has some conflicts. ...
    (microsoft.public.windows.server.sbs)
  • RE: redirected-redirected folders
    ... For Microsoft newsgroup user, please do not hesitate to contact my ... Microsoft CSS Online Newsgroup Support ... >>folders that contain the roaming profiles are on the server where offline ... >>> The offline files and roaming profile indeed has some conflicts. ...
    (microsoft.public.windows.server.sbs)
  • Re: Local permissions for roaming profile to work
    ... Just as a follow up- I decided to make my own profile roaming (I am a member ... You copy the Shared Folder Roaming$ from one Server to your current ... > Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Roaming Profiles and redirected folders
    ... No I do not want all my Adobe stuff roaming. ... profile down to 172MB. ... I would prefer to really correct the origin, the adobe folder. ... folder & offline sync. ...
    (microsoft.public.windows.server.general)
  • RE: redirected-redirected folders
    ... The offline files and roaming profile indeed has some conflicts. ... When creating a roaming profile shared directory, ...
    (microsoft.public.windows.server.sbs)