Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

User profiles folder and ntfs and share permissions best practices "Windows 2000 server"

Posted on 2004-07-30
Last Modified: 2010-04-13
For a Windows 2000 server.

This is really a multipart question.

First: What are the best practices setup of permissions for shared folders, specifically profiles.

To begin with, if I have my profiles folder on drive d:, I won't have the root of d: shared except for the administrative share d$. In the root I remove the everyone full access ntfs permissions and make sure that administrator and system have full access. Should I also include backup and service full access? Any other full access. Am I missing anything important?

SIDE NOTE: I had learned the hard way that the system account needed full access to the d drive root because my Active Directory info was in the D and only had administrators full access the system would not load windows.

OK anyways...

Now I create a profiles folder with NTFS permissions to administrators full access, authenticated users full access, backup account full access and Share permissions full access to everyone.

Is this correct so far or is there a more appropriate method?

Next: When I look at the profiles on my server most of them say 0 bytes or you only have permission to view the info, something to that effect. If I take ownership of the folder, then I can see the contents etc. What is going on here, is that normal? Please explain the theory and real world concepts.

Question by:NportXport
  • 5
  • 5

Accepted Solution

TASINetwork earned 250 total points
ID: 11679229
Here is how i usually set up home directories/profiles:

-Create a folder in the root directory (D: in your case) called Home and/or Profiles.
-Set the security permissions on these folders to allow Domain Admins Full Control and Authenticated Users, Change
-Share the folders (I always share with a "$" at the end of the share name to hide it)
-The Home directories should inherit the permissions to allow administrators access
-Profiles will allow only that user permissions to that folder, so I usually take ownership and grant Domain Admins full control.

As far as the Profiles showing 9 bytes, this is correct with the default permissions. Only that specific user can view the contents, and the administrators are effectively denied access, hence not allowing them to view anything about the folder, including folder size until you add permissons to yourself.

Author Comment

ID: 11679382

So how do you backup the profiles folder if you only have domain admins and authenticated users? Don't you need the backup or service account to have full access?

Also, lets say as an example: You had 2000 profiles. Are you saying that you would individually go in and add domain admins to each account with full access? Or is there an easier way to take ownership of profiles while maintaining each individual user rights in his/her individual profile?

Expert Comment

ID: 11679832
With Roaming Profiles, the permissions are set per folder.  If you were to set the permissions on the root folder and force them down to each directory, then all folders would be accessible by all users (which you prob. don't want).

You should add your backup user to the Administrators group and the Backup Operators group.  Backup Operators can open any file for backup purposes (even if they do not specifically have access to it).  So, if you run a backup job, it will backup the profiles, you just won't be able to browse them yourself.  You can turn around and restore these files to a different location.

If you want to be able to browse the profiles though, you will have to take ownership and then re-create the permissions (including re-adding that user)
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.


Author Comment

ID: 11680158
I do get what you are saying. You are more than have way with the answer and I will be giving you most or all the points.

Just a few more follow up questions.

So why do you want to be able to browse the profile?

Let's say you had 10,000 users. You would go in to each user and change the permissions so that you can browse there profile? I mean what are the benifiets of browsing a user's profile? Don't you just care about the home folders were they keep their data as opposed to the profile were their individual computer settings are kept?

By the way. On my network in the server I have some profiles who have the user as the owner and I can still browse the profile because the administrator is in with full access to that profile. How can that be?

The only way I can think of is being possible is that some would log in locally to the server as the user and add the administrator to their profile. I checked the server's profiles and it  only has administrators and my account as having logged in. They could have also deleted the profile after logging back in as administrator.

You do understand my confusion right?


Expert Comment

ID: 11680358
Only reason I can think of for browsing the profile (which in most cases you would NOT need to) is to snoop around.  The profiles are stored on the user's local PC too, so you don't really need to back it up in most cases.  If either the user's PC or the server profile is available, you won't loose the user's data.  Just bring back up the down PC and the profile will recreate itself in the location that it is missing.

Author Comment

ID: 11680581

I just found this and it explains when a user profile is created and the administrator is not added that it is a bug and you should update to the newest service pack and you must use a group policy to force the addition of the administrator to the profile.

Interesting eh?


Expert Comment

ID: 11681701
Thanks for the link!  I was just dealing with this at a client the other day, and would have loved to have known this!

Author Comment

ID: 11681871
So can I have some points back?

hee he ... just kiddin

I am glad it helped you.

Even though it says it in the document, will point it out anyway that you have to change the setting at the local group policy of the computer for it to work. Or at least that is what it appears to require. In other words this is not a Domain Group Policy.

It is helping me because I have to migrate profiles from an FFed UP domain to a new domain.

ADMT transffered the user ID and Computers but it could not redo the SIDs so I have to manually transferr thier profiles.

Lucky there are only 70 or so users. I am logging in on one workstation with every users account so their profile gets copied over, then I am adding the computer to the new domain and logging in with everyones account from the new domain, then I will log in as the administrator and copy each profile from the old domain on to the corresponding account on the new domain. Finally I will give set the allowed to use profile option to the new domain accounts.

If you know of an easier way PLEASE let me know.

Expert Comment

ID: 11682122
Don't know for SURE, but it MIGHT work:
Desktop DNA (http://ca.miramar.com/Products/Small_Office)

Author Comment

ID: 11682280
It doesn't look like something I can use.

Thanks anyway

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how do i restart in safe mode windows Server 2000? 5 610
schedule script execution in windows 2000 3 138
Windows  Active Directory  Quesiton 8 131
Can’t delete a file 14 177
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The advancement in technology has been a great source of betterment and empowerment for the human race, Nevertheless, this is not to say that technology doesn’t have any problems. We are bombarded with constant distractions, whether as an overload o…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used.

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question