Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Roaming Profile Folders Do Not Allow Administrative Access  *Administrator needs access to files after the fact *

Posted on 2004-04-01
12
741 Views
Last Modified: 2010-05-18
Okay I understand Microsoft’s article http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B222043  states that you can not apply the GPO after the profile is made.  I came into this job after this was setup (incorrectly).  But, I need to be able to view the files in the roaming profiles now. I want my users to still be able to access their profiles also.  What I need is a way to add the administrator to the security settings so that I am able to view the files while still having the user access the profile.  Taking ownership removes the user access rights to the profile. Any ideas?  
0
Comment
Question by:MDavisTX
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 3

Assisted Solution

by:infradawn
infradawn earned 100 total points
ID: 10732937
The ACLs on the default profile are: USER - FULL CONTROL and SYSTEM - FULL CONTROL. Maintenance is straightforward if you use the SYSTEM account to do it. The easiest way to delete profiles using the SYSTEM account is to schedule a cmd.exe /k job using AT (or SOON). This creates a DOS window in the SYSTEM account context and profiles can be deleted from here (so no need to take ownership).

See:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20914408.html

for a discussion.


iD
0
 
LVL 3

Expert Comment

by:infradawn
ID: 10732975
Oh yeah, missed saying that the technique is also useful for viewing and otherwise maintaining the profiles!

iD
0
 

Author Comment

by:MDavisTX
ID: 10733763
Okay i kind of understand what you are saying. Can explain in more detail as to how I use the SYSTEM account?  I am sorry but I am fairly new to Windows 2000 Server.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 7

Assisted Solution

by:4auHuk
4auHuk earned 100 total points
ID: 10734601
>Taking ownership removes the user access rights to the profile
No, it's not. Take ownership does not change ACL.

>Can explain in more detail as to how I use the SYSTEM account?
>>The easiest way to delete profiles using the SYSTEM account is to schedule a cmd.exe /k job using AT

at.exe is built-in command line scheduler. Tasks scheduled using AT always start under Local System account. So all you need is to open command prompt and use AT with following syntax:
at 13:30 /interactive "cmd /k"
where 13:30 is in near future. At this time command prompt window will appear. It will run under Local System account.
0
 
LVL 84

Accepted Solution

by:
oBdA earned 300 total points
ID: 10734763
Once you have the command window open, use cacls to add the administrators group to the ACL:
cacls YourHomeRoot /T /E /G Administrators:f
will add the group Administrators to YourHomeRoot and all files and folders below (/T), leaving the existing ACEs as they are.
Do not miss the /E ("edit", instead of replacing the ACL) switch, or you'll have to re-add your users and the system account ...
0
 

Author Comment

by:MDavisTX
ID: 10741418
oBdA,

Okay i ahve looked into the cacls command.  It looks promising. My HomeRoot is D:\Profiles$\  do you think it will have a problem with the $ ?
0
 
LVL 84

Expert Comment

by:oBdA
ID: 10741711
There should be no problem; a $ can be a regular chanracter in a file or folder name.
If you feel unsecure about it, simply create a test folder using a similar folder and permissions structure and start with this one.
0
 

Author Comment

by:MDavisTX
ID: 10742277
4auHuk and oBdA

Okay i am trying out the at command but i am getting an error on the scheduling of it

I am running a cmd prompt and have put in the command:

at 10:45 /interactive "cmd /k"

the time passes and no new cmd opens and if i look at the AT schedule it states that it as an error in it
Status ID   Day                     Time          Command Line
---------------------------------------------------------------
Error   2   Tomorrow                10:45 AM      cmd/k

i assume the tomorrow statement means it will try again tomorrow.

I have try many ways

at 10:45 /interactive "cmd/k"
at 10:45 /interactive cmd / k
and so on
0
 
LVL 84

Expert Comment

by:oBdA
ID: 10743137
Try to lose the "/k" completely;
at <Your:Time+2min> /interactive cmd
works fine for me.
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10743919
Yeah, /k is extra key since cmd starts with is by default :)
"Tomorrow" means that time in "at 10:45 /interactive "cmd /k"" command was in the past so at assumes you wish to start this task tomorrow. Anyway, oBdA mentioned all this already :)
0
 

Author Comment

by:MDavisTX
ID: 10743971
Thanks, all three of you got me the answer!!
0
 
LVL 3

Expert Comment

by:infradawn
ID: 10752553
:)
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question