Roaming Profiles - User folder "Taking ownership"

I've established that to view/edit contents of a user's roaming profile folder i need to take ownership as administrator. However i can't seem to give ownership of this folder back to the user. I’ve entered the username into the ownership filed and everything seems to be updated. for example i can't view the contents of the file as administrator however, when i try to login as the user i get the Access Denied roaming profile error?

i'm sure there's a simple soulution to this but there dosn't seem to be much documentation i can find on the subject of giving back ownership.

Thanks in advance,
Who is Participating?
exx1976Connect With a Mentor Commented:
Sure thing.  Here are the EXACT permissions that I grant in my environment, as well as the correct syntax to use XCACLS.


The line above, if you change %USERNAME% and %DOMAIN% to be correct for your environment, will grant full access to the SYSTEM, full access to the DOMAIN ADMINS group, and change permissions to the user.

On the parent share, you should have the share permissions set to everyone full control, and the NTFS permissions should be set to READ for Domain Users, and FULL CONTROL for SYSTEM and DOMAIN ADMINS.

Then, they are able to list the directory structure of the profiles directory, and then with the change permissions on their own directory, they are able to access it.

Let me know if there's anything else I can do to help.

You don't need to give the user ownership, just full rights, leave ownership with the admin account.  To negate this problem pre-create the base folder in the location you have specified and give the user full rights before they log on for the first time.
Not so...   The owner of the profile directory, for TS, needs to be either the ADMINISTRATORS group, or it needs to be the user who's profile it is.

In our environment, we do the following:

Use subinacl to give ownership, and use xcacls to grant access to the file to both SYSTEM and Domain Admins.

Subinacl is a freely downloadable tool from MS, as is XCACLS.  I believe they are both part of the support tools.

example usage for subinacl:

subinacl /noverbose /file c:\profiles\%username% /SETOWNER=%username%

Replace %username% with the username who's profile you are trying to fix...

Also make sure they the NTFS and Share permissions are set correctly on the parent share folder...

jonbillingsleyAuthor Commented:
thanks exx1976,

would you be able to tell me these permissions?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.