Solved

Roaming Profiles - User folder "Taking ownership"

Posted on 2004-08-26
4
828 Views
Last Modified: 2012-08-13
I've established that to view/edit contents of a user's roaming profile folder i need to take ownership as administrator. However i can't seem to give ownership of this folder back to the user. I’ve entered the username into the ownership filed and everything seems to be updated. for example i can't view the contents of the file as administrator however, when i try to login as the user i get the Access Denied roaming profile error?

i'm sure there's a simple soulution to this but there dosn't seem to be much documentation i can find on the subject of giving back ownership.

Thanks in advance,
Jon
0
Comment
Question by:jonbillingsley
  • 2
4 Comments
 
LVL 2

Expert Comment

by:littlebuddah
ID: 11903270
You don't need to give the user ownership, just full rights, leave ownership with the admin account.  To negate this problem pre-create the base folder in the location you have specified and give the user full rights before they log on for the first time.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 11909709
Not so...   The owner of the profile directory, for TS, needs to be either the ADMINISTRATORS group, or it needs to be the user who's profile it is.

In our environment, we do the following:

Use subinacl to give ownership, and use xcacls to grant access to the file to both SYSTEM and Domain Admins.

Subinacl is a freely downloadable tool from MS, as is XCACLS.  I believe they are both part of the support tools.

example usage for subinacl:

subinacl /noverbose /file c:\profiles\%username% /SETOWNER=%username%

Replace %username% with the username who's profile you are trying to fix...

Also make sure they the NTFS and Share permissions are set correctly on the parent share folder...

HTH,
exx1976
0
 

Author Comment

by:jonbillingsley
ID: 11911566
thanks exx1976,

would you be able to tell me these permissions?
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 150 total points
ID: 11913889
Sure thing.  Here are the EXACT permissions that I grant in my environment, as well as the correct syntax to use XCACLS.

xcacls \\server\share\%USERNAME% /T /G SYSTEM:F "%DOMAIN%\DOMAIN ADMINS":F %USERNAME%:C /Y

The line above, if you change %USERNAME% and %DOMAIN% to be correct for your environment, will grant full access to the SYSTEM, full access to the DOMAIN ADMINS group, and change permissions to the user.

On the parent share, you should have the share permissions set to everyone full control, and the NTFS permissions should be set to READ for Domain Users, and FULL CONTROL for SYSTEM and DOMAIN ADMINS.

Then, they are able to list the directory structure of the profiles directory, and then with the change permissions on their own directory, they are able to access it.

Let me know if there's anything else I can do to help.

exx
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Why are clients issued temporary TS or RDS Device CALS instead of the ones installed 4 172
Server Login Issue 4 50
Screen Mirroring 7 54
Auslogics BoostSpeed 9 software 5 60
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now