[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Roaming Profile Folders Do Not Allow Administrative Access  *Administrator needs access to files after the fact *

Posted on 2004-04-01
12
Medium Priority
?
749 Views
Last Modified: 2010-05-18
Okay I understand Microsoft’s article http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B222043  states that you can not apply the GPO after the profile is made.  I came into this job after this was setup (incorrectly).  But, I need to be able to view the files in the roaming profiles now. I want my users to still be able to access their profiles also.  What I need is a way to add the administrator to the security settings so that I am able to view the files while still having the user access the profile.  Taking ownership removes the user access rights to the profile. Any ideas?  
0
Comment
Question by:MDavisTX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
12 Comments
 
LVL 3

Assisted Solution

by:infradawn
infradawn earned 400 total points
ID: 10732937
The ACLs on the default profile are: USER - FULL CONTROL and SYSTEM - FULL CONTROL. Maintenance is straightforward if you use the SYSTEM account to do it. The easiest way to delete profiles using the SYSTEM account is to schedule a cmd.exe /k job using AT (or SOON). This creates a DOS window in the SYSTEM account context and profiles can be deleted from here (so no need to take ownership).

See:

http://www.experts-exchange.com/Operating_Systems/Win2000/Q_20914408.html

for a discussion.


iD
0
 
LVL 3

Expert Comment

by:infradawn
ID: 10732975
Oh yeah, missed saying that the technique is also useful for viewing and otherwise maintaining the profiles!

iD
0
 

Author Comment

by:MDavisTX
ID: 10733763
Okay i kind of understand what you are saying. Can explain in more detail as to how I use the SYSTEM account?  I am sorry but I am fairly new to Windows 2000 Server.
0
On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

 
LVL 7

Assisted Solution

by:4auHuk
4auHuk earned 400 total points
ID: 10734601
>Taking ownership removes the user access rights to the profile
No, it's not. Take ownership does not change ACL.

>Can explain in more detail as to how I use the SYSTEM account?
>>The easiest way to delete profiles using the SYSTEM account is to schedule a cmd.exe /k job using AT

at.exe is built-in command line scheduler. Tasks scheduled using AT always start under Local System account. So all you need is to open command prompt and use AT with following syntax:
at 13:30 /interactive "cmd /k"
where 13:30 is in near future. At this time command prompt window will appear. It will run under Local System account.
0
 
LVL 85

Accepted Solution

by:
oBdA earned 1200 total points
ID: 10734763
Once you have the command window open, use cacls to add the administrators group to the ACL:
cacls YourHomeRoot /T /E /G Administrators:f
will add the group Administrators to YourHomeRoot and all files and folders below (/T), leaving the existing ACEs as they are.
Do not miss the /E ("edit", instead of replacing the ACL) switch, or you'll have to re-add your users and the system account ...
0
 

Author Comment

by:MDavisTX
ID: 10741418
oBdA,

Okay i ahve looked into the cacls command.  It looks promising. My HomeRoot is D:\Profiles$\  do you think it will have a problem with the $ ?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 10741711
There should be no problem; a $ can be a regular chanracter in a file or folder name.
If you feel unsecure about it, simply create a test folder using a similar folder and permissions structure and start with this one.
0
 

Author Comment

by:MDavisTX
ID: 10742277
4auHuk and oBdA

Okay i am trying out the at command but i am getting an error on the scheduling of it

I am running a cmd prompt and have put in the command:

at 10:45 /interactive "cmd /k"

the time passes and no new cmd opens and if i look at the AT schedule it states that it as an error in it
Status ID   Day                     Time          Command Line
---------------------------------------------------------------
Error   2   Tomorrow                10:45 AM      cmd/k

i assume the tomorrow statement means it will try again tomorrow.

I have try many ways

at 10:45 /interactive "cmd/k"
at 10:45 /interactive cmd / k
and so on
0
 
LVL 85

Expert Comment

by:oBdA
ID: 10743137
Try to lose the "/k" completely;
at <Your:Time+2min> /interactive cmd
works fine for me.
0
 
LVL 7

Expert Comment

by:4auHuk
ID: 10743919
Yeah, /k is extra key since cmd starts with is by default :)
"Tomorrow" means that time in "at 10:45 /interactive "cmd /k"" command was in the past so at assumes you wish to start this task tomorrow. Anyway, oBdA mentioned all this already :)
0
 

Author Comment

by:MDavisTX
ID: 10743971
Thanks, all three of you got me the answer!!
0
 
LVL 3

Expert Comment

by:infradawn
ID: 10752553
:)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Working from home is a dream for many people who aren’t happy about getting up early, going to the office, and spending long hours at work. There are lots of benefits of remote work for employees.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question