Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

User profiles folder and ntfs and share permissions best practices "Windows 2000 server"

Posted on 2004-07-30
10
Medium Priority
?
2,597 Views
Last Modified: 2010-04-13
For a Windows 2000 server.

This is really a multipart question.

First: What are the best practices setup of permissions for shared folders, specifically profiles.

To begin with, if I have my profiles folder on drive d:, I won't have the root of d: shared except for the administrative share d$. In the root I remove the everyone full access ntfs permissions and make sure that administrator and system have full access. Should I also include backup and service full access? Any other full access. Am I missing anything important?

SIDE NOTE: I had learned the hard way that the system account needed full access to the d drive root because my Active Directory info was in the D and only had administrators full access the system would not load windows.

OK anyways...

Now I create a profiles folder with NTFS permissions to administrators full access, authenticated users full access, backup account full access and Share permissions full access to everyone.

Is this correct so far or is there a more appropriate method?

Next: When I look at the profiles on my server most of them say 0 bytes or you only have permission to view the info, something to that effect. If I take ownership of the folder, then I can see the contents etc. What is going on here, is that normal? Please explain the theory and real world concepts.








0
Comment
Question by:NportXport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 2

Accepted Solution

by:
TASINetwork earned 750 total points
ID: 11679229
Here is how i usually set up home directories/profiles:

-Create a folder in the root directory (D: in your case) called Home and/or Profiles.
-Set the security permissions on these folders to allow Domain Admins Full Control and Authenticated Users, Change
-Share the folders (I always share with a "$" at the end of the share name to hide it)
-The Home directories should inherit the permissions to allow administrators access
-Profiles will allow only that user permissions to that folder, so I usually take ownership and grant Domain Admins full control.

As far as the Profiles showing 9 bytes, this is correct with the default permissions. Only that specific user can view the contents, and the administrators are effectively denied access, hence not allowing them to view anything about the folder, including folder size until you add permissons to yourself.
0
 

Author Comment

by:NportXport
ID: 11679382

So how do you backup the profiles folder if you only have domain admins and authenticated users? Don't you need the backup or service account to have full access?

Also, lets say as an example: You had 2000 profiles. Are you saying that you would individually go in and add domain admins to each account with full access? Or is there an easier way to take ownership of profiles while maintaining each individual user rights in his/her individual profile?
0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11679832
With Roaming Profiles, the permissions are set per folder.  If you were to set the permissions on the root folder and force them down to each directory, then all folders would be accessible by all users (which you prob. don't want).

You should add your backup user to the Administrators group and the Backup Operators group.  Backup Operators can open any file for backup purposes (even if they do not specifically have access to it).  So, if you run a backup job, it will backup the profiles, you just won't be able to browse them yourself.  You can turn around and restore these files to a different location.

If you want to be able to browse the profiles though, you will have to take ownership and then re-create the permissions (including re-adding that user)
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:NportXport
ID: 11680158
I do get what you are saying. You are more than have way with the answer and I will be giving you most or all the points.

Just a few more follow up questions.

So why do you want to be able to browse the profile?

Let's say you had 10,000 users. You would go in to each user and change the permissions so that you can browse there profile? I mean what are the benifiets of browsing a user's profile? Don't you just care about the home folders were they keep their data as opposed to the profile were their individual computer settings are kept?

By the way. On my network in the server I have some profiles who have the user as the owner and I can still browse the profile because the administrator is in with full access to that profile. How can that be?

The only way I can think of is being possible is that some would log in locally to the server as the user and add the administrator to their profile. I checked the server's profiles and it  only has administrators and my account as having logged in. They could have also deleted the profile after logging back in as administrator.

You do understand my confusion right?

0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11680358
Only reason I can think of for browsing the profile (which in most cases you would NOT need to) is to snoop around.  The profiles are stored on the user's local PC too, so you don't really need to back it up in most cases.  If either the user's PC or the server profile is available, you won't loose the user's data.  Just bring back up the down PC and the profile will recreate itself in the location that it is missing.
0
 

Author Comment

by:NportXport
ID: 11680581
TASINetork

I just found this and it explains when a user profile is created and the administrator is not added that it is a bug and you should update to the newest service pack and you must use a group policy to force the addition of the administrator to the profile.

Interesting eh?

http://support.microsoft.com/default.aspx?scid=kb;EN-US;222043
0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11681701
Thanks for the link!  I was just dealing with this at a client the other day, and would have loved to have known this!
0
 

Author Comment

by:NportXport
ID: 11681871
So can I have some points back?

hee he ... just kiddin

I am glad it helped you.

Even though it says it in the document, will point it out anyway that you have to change the setting at the local group policy of the computer for it to work. Or at least that is what it appears to require. In other words this is not a Domain Group Policy.

It is helping me because I have to migrate profiles from an FFed UP domain to a new domain.

ADMT transffered the user ID and Computers but it could not redo the SIDs so I have to manually transferr thier profiles.

Lucky there are only 70 or so users. I am logging in on one workstation with every users account so their profile gets copied over, then I am adding the computer to the new domain and logging in with everyones account from the new domain, then I will log in as the administrator and copy each profile from the old domain on to the corresponding account on the new domain. Finally I will give set the allowed to use profile option to the new domain accounts.

If you know of an easier way PLEASE let me know.
0
 
LVL 2

Expert Comment

by:TASINetwork
ID: 11682122
Don't know for SURE, but it MIGHT work:
Desktop DNA (http://ca.miramar.com/Products/Small_Office)
0
 

Author Comment

by:NportXport
ID: 11682280
It doesn't look like something I can use.

Thanks anyway
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question