Link to home
Start Free TrialLog in
Avatar of NportXport
NportXport

asked on

User profiles folder and ntfs and share permissions best practices "Windows 2000 server"

For a Windows 2000 server.

This is really a multipart question.

First: What are the best practices setup of permissions for shared folders, specifically profiles.

To begin with, if I have my profiles folder on drive d:, I won't have the root of d: shared except for the administrative share d$. In the root I remove the everyone full access ntfs permissions and make sure that administrator and system have full access. Should I also include backup and service full access? Any other full access. Am I missing anything important?

SIDE NOTE: I had learned the hard way that the system account needed full access to the d drive root because my Active Directory info was in the D and only had administrators full access the system would not load windows.

OK anyways...

Now I create a profiles folder with NTFS permissions to administrators full access, authenticated users full access, backup account full access and Share permissions full access to everyone.

Is this correct so far or is there a more appropriate method?

Next: When I look at the profiles on my server most of them say 0 bytes or you only have permission to view the info, something to that effect. If I take ownership of the folder, then I can see the contents etc. What is going on here, is that normal? Please explain the theory and real world concepts.








ASKER CERTIFIED SOLUTION
Avatar of TASINetwork
TASINetwork

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of NportXport
NportXport

ASKER


So how do you backup the profiles folder if you only have domain admins and authenticated users? Don't you need the backup or service account to have full access?

Also, lets say as an example: You had 2000 profiles. Are you saying that you would individually go in and add domain admins to each account with full access? Or is there an easier way to take ownership of profiles while maintaining each individual user rights in his/her individual profile?
With Roaming Profiles, the permissions are set per folder.  If you were to set the permissions on the root folder and force them down to each directory, then all folders would be accessible by all users (which you prob. don't want).

You should add your backup user to the Administrators group and the Backup Operators group.  Backup Operators can open any file for backup purposes (even if they do not specifically have access to it).  So, if you run a backup job, it will backup the profiles, you just won't be able to browse them yourself.  You can turn around and restore these files to a different location.

If you want to be able to browse the profiles though, you will have to take ownership and then re-create the permissions (including re-adding that user)
I do get what you are saying. You are more than have way with the answer and I will be giving you most or all the points.

Just a few more follow up questions.

So why do you want to be able to browse the profile?

Let's say you had 10,000 users. You would go in to each user and change the permissions so that you can browse there profile? I mean what are the benifiets of browsing a user's profile? Don't you just care about the home folders were they keep their data as opposed to the profile were their individual computer settings are kept?

By the way. On my network in the server I have some profiles who have the user as the owner and I can still browse the profile because the administrator is in with full access to that profile. How can that be?

The only way I can think of is being possible is that some would log in locally to the server as the user and add the administrator to their profile. I checked the server's profiles and it  only has administrators and my account as having logged in. They could have also deleted the profile after logging back in as administrator.

You do understand my confusion right?

Only reason I can think of for browsing the profile (which in most cases you would NOT need to) is to snoop around.  The profiles are stored on the user's local PC too, so you don't really need to back it up in most cases.  If either the user's PC or the server profile is available, you won't loose the user's data.  Just bring back up the down PC and the profile will recreate itself in the location that it is missing.
TASINetork

I just found this and it explains when a user profile is created and the administrator is not added that it is a bug and you should update to the newest service pack and you must use a group policy to force the addition of the administrator to the profile.

Interesting eh?

http://support.microsoft.com/default.aspx?scid=kb;EN-US;222043
Thanks for the link!  I was just dealing with this at a client the other day, and would have loved to have known this!
So can I have some points back?

hee he ... just kiddin

I am glad it helped you.

Even though it says it in the document, will point it out anyway that you have to change the setting at the local group policy of the computer for it to work. Or at least that is what it appears to require. In other words this is not a Domain Group Policy.

It is helping me because I have to migrate profiles from an FFed UP domain to a new domain.

ADMT transffered the user ID and Computers but it could not redo the SIDs so I have to manually transferr thier profiles.

Lucky there are only 70 or so users. I am logging in on one workstation with every users account so their profile gets copied over, then I am adding the computer to the new domain and logging in with everyones account from the new domain, then I will log in as the administrator and copy each profile from the old domain on to the corresponding account on the new domain. Finally I will give set the allowed to use profile option to the new domain accounts.

If you know of an easier way PLEASE let me know.
Don't know for SURE, but it MIGHT work:
Desktop DNA (http://ca.miramar.com/Products/Small_Office)
It doesn't look like something I can use.

Thanks anyway