Re: Custom NTFS permissions on roaming profiles?
- From: "Marcus Fredriksson" <nospam@xxxxxxxxxx>
- Date: Wed, 12 Apr 2006 10:24:46 +0200
Steven,
Thanks for your input. I have used xcacls.vbs quite a bit and am familiar
with it. Fileacl I didn't know about. Will check that out, thanks!
My main concern when manipulating profile ACLs is as I stated before
unexpected consequences, and I am not very comfortable with implementing a
bunch of scheduled scripts to manipulate ACLs. But since this might greatly
reduce the time needed for our TS guys to troubleshoot a user profile, and
at the same time eliminate the need to make the them member of the
Administrators group on all file servers, I guess we'll test it and give it
a try.
Thanks and regards,
Marcus
--
The views and opinions expressed above are strictly
those of the author(s). The content of this message has
not been reviewed nor approved by any entity whatsoever.
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23Mle0hbXGHA.3740@xxxxxxxxxxxxxxxxxxxxxxx
I myself have never heard of a way to specify an extra group be
automatically be added to a newly created profile. You could however use
command line tools such as filial or xcacls.vbs to add such permissions and
you would need to do so each time a new profile was created. I see know
reason why that would cause a problem [other then privacy] as long as the
user still had their permissions and was the owner. Of course like anything
else test it on a few user accounts first and backup your server before you
try changing permissions so that you can always get back to where you were.
Xcacls.vbs and fileacl are powerful tools so be sure to try them out on a
test computer first if you are interested in trying them. --- Steve
http://support.microsoft.com/?id=825751 --- xcacls.vbs
http://www.gbordier.com/gbtools/fileacl.htm --- fileacl
"Marcus Fredriksson" <nospam@xxxxxxxxxx> wrote in message
news:443b97a4$1@xxxxxxxxxxxxxxxxxxxxxx
Hello all,
We are managing a large Windows 2003 server environment with Terminal
Servers that store the users' roaming (mandatory) profiles on a file
share on the network. According to
http://technet2.microsoft.com/WindowsServer/en/Library/20b15453-f7c9-4cf0-9131-78924af776551033.mspx,
the default file permissions for a users' roaming profile folder is Full
Control for the user and Local system and nothing else. We have also
through a GPO enabled the "Add the Administrators security group to
roaming user profiles" setting to grant Administrators permissions on the
user folders.
So far, so good, but now as the environment grows large, we need our
Terminal Server guys to have permissions on the roaming profiles to be
able to troubleshoot end user problems. We do not want to add the
Terminal Server administrators to the Administrators group on the file
servers, but instead add another group to the ACL of the roaming profile
folders.
My question: Is there a way to pre-define which permissions gets set on
newly created roaming profile user folders? If not, what problems could
we run into if we add this extra group to the roaming profile folders
afterwards?
Thanks,
Marcus
--
The views and opinions expressed above are strictly
those of the author(s). The content of this message has
not been reviewed nor approved by any entity whatsoever.
.
- References:
- Custom NTFS permissions on roaming profiles?
- From: Marcus Fredriksson
- Re: Custom NTFS permissions on roaming profiles?
- From: Steven L Umbach
- Custom NTFS permissions on roaming profiles?
- Prev by Date: Re: GPO not picking up computer settings
- Next by Date: Re: W2K domain IPsec implementation
- Previous by thread: Re: Custom NTFS permissions on roaming profiles?
- Next by thread: deny login to member servers
- Index(es):
Relevant Pages
|
