• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 751
  • Last Modified:

Roaming Profile Folders Do Not Allow Administrative Access *Administrator needs access to files after the fact *

Okay I understand Microsoft’s article http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B222043  states that you can not apply the GPO after the profile is made.  I came into this job after this was setup (incorrectly).  But, I need to be able to view the files in the roaming profiles now. I want my users to still be able to access their profiles also.  What I need is a way to add the administrator to the security settings so that I am able to view the files while still having the user access the profile.  Taking ownership removes the user access rights to the profile. Any ideas?  
0
MDavisTX
Asked:
MDavisTX
  • 4
  • 3
  • 3
  • +1
3 Solutions
 
infradawnCommented:
The ACLs on the default profile are: USER - FULL CONTROL and SYSTEM - FULL CONTROL. Maintenance is straightforward if you use the SYSTEM account to do it. The easiest way to delete profiles using the SYSTEM account is to schedule a cmd.exe /k job using AT (or SOON). This creates a DOS window in the SYSTEM account context and profiles can be deleted from here (so no need to take ownership).

See:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20914408.html

for a discussion.


iD
0
 
infradawnCommented:
Oh yeah, missed saying that the technique is also useful for viewing and otherwise maintaining the profiles!

iD
0
 
MDavisTXAuthor Commented:
Okay i kind of understand what you are saying. Can explain in more detail as to how I use the SYSTEM account?  I am sorry but I am fairly new to Windows 2000 Server.
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
4auHukCommented:
>Taking ownership removes the user access rights to the profile
No, it's not. Take ownership does not change ACL.

>Can explain in more detail as to how I use the SYSTEM account?
>>The easiest way to delete profiles using the SYSTEM account is to schedule a cmd.exe /k job using AT

at.exe is built-in command line scheduler. Tasks scheduled using AT always start under Local System account. So all you need is to open command prompt and use AT with following syntax:
at 13:30 /interactive "cmd /k"
where 13:30 is in near future. At this time command prompt window will appear. It will run under Local System account.
0
 
oBdACommented:
Once you have the command window open, use cacls to add the administrators group to the ACL:
cacls YourHomeRoot /T /E /G Administrators:f
will add the group Administrators to YourHomeRoot and all files and folders below (/T), leaving the existing ACEs as they are.
Do not miss the /E ("edit", instead of replacing the ACL) switch, or you'll have to re-add your users and the system account ...
0
 
MDavisTXAuthor Commented:
oBdA,

Okay i ahve looked into the cacls command.  It looks promising. My HomeRoot is D:\Profiles$\  do you think it will have a problem with the $ ?
0
 
oBdACommented:
There should be no problem; a $ can be a regular chanracter in a file or folder name.
If you feel unsecure about it, simply create a test folder using a similar folder and permissions structure and start with this one.
0
 
MDavisTXAuthor Commented:
4auHuk and oBdA

Okay i am trying out the at command but i am getting an error on the scheduling of it

I am running a cmd prompt and have put in the command:

at 10:45 /interactive "cmd /k"

the time passes and no new cmd opens and if i look at the AT schedule it states that it as an error in it
Status ID   Day                     Time          Command Line
---------------------------------------------------------------
Error   2   Tomorrow                10:45 AM      cmd/k

i assume the tomorrow statement means it will try again tomorrow.

I have try many ways

at 10:45 /interactive "cmd/k"
at 10:45 /interactive cmd / k
and so on
0
 
oBdACommented:
Try to lose the "/k" completely;
at <Your:Time+2min> /interactive cmd
works fine for me.
0
 
4auHukCommented:
Yeah, /k is extra key since cmd starts with is by default :)
"Tomorrow" means that time in "at 10:45 /interactive "cmd /k"" command was in the past so at assumes you wish to start this task tomorrow. Anyway, oBdA mentioned all this already :)
0
 
MDavisTXAuthor Commented:
Thanks, all three of you got me the answer!!
0
 
infradawnCommented:
:)
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now