User profiles folder and ntfs and share permissions best practices "Windows 2000 server"

Posted on 2004-07-30
Last Modified: 2010-04-13
For a Windows 2000 server.

This is really a multipart question.

First: What are the best practices setup of permissions for shared folders, specifically profiles.

To begin with, if I have my profiles folder on drive d:, I won't have the root of d: shared except for the administrative share d$. In the root I remove the everyone full access ntfs permissions and make sure that administrator and system have full access. Should I also include backup and service full access? Any other full access. Am I missing anything important?

SIDE NOTE: I had learned the hard way that the system account needed full access to the d drive root because my Active Directory info was in the D and only had administrators full access the system would not load windows.

OK anyways...

Now I create a profiles folder with NTFS permissions to administrators full access, authenticated users full access, backup account full access and Share permissions full access to everyone.

Is this correct so far or is there a more appropriate method?

Next: When I look at the profiles on my server most of them say 0 bytes or you only have permission to view the info, something to that effect. If I take ownership of the folder, then I can see the contents etc. What is going on here, is that normal? Please explain the theory and real world concepts.

Question by:NportXport
  • 5
  • 5

Accepted Solution

TASINetwork earned 250 total points
ID: 11679229
Here is how i usually set up home directories/profiles:

-Create a folder in the root directory (D: in your case) called Home and/or Profiles.
-Set the security permissions on these folders to allow Domain Admins Full Control and Authenticated Users, Change
-Share the folders (I always share with a "$" at the end of the share name to hide it)
-The Home directories should inherit the permissions to allow administrators access
-Profiles will allow only that user permissions to that folder, so I usually take ownership and grant Domain Admins full control.

As far as the Profiles showing 9 bytes, this is correct with the default permissions. Only that specific user can view the contents, and the administrators are effectively denied access, hence not allowing them to view anything about the folder, including folder size until you add permissons to yourself.

Author Comment

ID: 11679382

So how do you backup the profiles folder if you only have domain admins and authenticated users? Don't you need the backup or service account to have full access?

Also, lets say as an example: You had 2000 profiles. Are you saying that you would individually go in and add domain admins to each account with full access? Or is there an easier way to take ownership of profiles while maintaining each individual user rights in his/her individual profile?

Expert Comment

ID: 11679832
With Roaming Profiles, the permissions are set per folder.  If you were to set the permissions on the root folder and force them down to each directory, then all folders would be accessible by all users (which you prob. don't want).

You should add your backup user to the Administrators group and the Backup Operators group.  Backup Operators can open any file for backup purposes (even if they do not specifically have access to it).  So, if you run a backup job, it will backup the profiles, you just won't be able to browse them yourself.  You can turn around and restore these files to a different location.

If you want to be able to browse the profiles though, you will have to take ownership and then re-create the permissions (including re-adding that user)

Author Comment

ID: 11680158
I do get what you are saying. You are more than have way with the answer and I will be giving you most or all the points.

Just a few more follow up questions.

So why do you want to be able to browse the profile?

Let's say you had 10,000 users. You would go in to each user and change the permissions so that you can browse there profile? I mean what are the benifiets of browsing a user's profile? Don't you just care about the home folders were they keep their data as opposed to the profile were their individual computer settings are kept?

By the way. On my network in the server I have some profiles who have the user as the owner and I can still browse the profile because the administrator is in with full access to that profile. How can that be?

The only way I can think of is being possible is that some would log in locally to the server as the user and add the administrator to their profile. I checked the server's profiles and it  only has administrators and my account as having logged in. They could have also deleted the profile after logging back in as administrator.

You do understand my confusion right?


Expert Comment

ID: 11680358
Only reason I can think of for browsing the profile (which in most cases you would NOT need to) is to snoop around.  The profiles are stored on the user's local PC too, so you don't really need to back it up in most cases.  If either the user's PC or the server profile is available, you won't loose the user's data.  Just bring back up the down PC and the profile will recreate itself in the location that it is missing.
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud


Author Comment

ID: 11680581

I just found this and it explains when a user profile is created and the administrator is not added that it is a bug and you should update to the newest service pack and you must use a group policy to force the addition of the administrator to the profile.

Interesting eh?;EN-US;222043

Expert Comment

ID: 11681701
Thanks for the link!  I was just dealing with this at a client the other day, and would have loved to have known this!

Author Comment

ID: 11681871
So can I have some points back?

hee he ... just kiddin

I am glad it helped you.

Even though it says it in the document, will point it out anyway that you have to change the setting at the local group policy of the computer for it to work. Or at least that is what it appears to require. In other words this is not a Domain Group Policy.

It is helping me because I have to migrate profiles from an FFed UP domain to a new domain.

ADMT transffered the user ID and Computers but it could not redo the SIDs so I have to manually transferr thier profiles.

Lucky there are only 70 or so users. I am logging in on one workstation with every users account so their profile gets copied over, then I am adding the computer to the new domain and logging in with everyones account from the new domain, then I will log in as the administrator and copy each profile from the old domain on to the corresponding account on the new domain. Finally I will give set the allowed to use profile option to the new domain accounts.

If you know of an easier way PLEASE let me know.

Expert Comment

ID: 11682122
Don't know for SURE, but it MIGHT work:
Desktop DNA (

Author Comment

ID: 11682280
It doesn't look like something I can use.

Thanks anyway

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager was included in Office 2003, 2007, and 2010, but not in Office 2013. Users had hopes that it would be in Office 2016/Office 365, but it is not. Fortunately, the same zero-cost technique that works to install it with …
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: (…
Internet Business Fax to Email Made Easy - With  eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now