Solved

Roaming Profiles - User folder "Taking ownership"

Posted on 2004-08-26
4
827 Views
Last Modified: 2012-08-13
I've established that to view/edit contents of a user's roaming profile folder i need to take ownership as administrator. However i can't seem to give ownership of this folder back to the user. I’ve entered the username into the ownership filed and everything seems to be updated. for example i can't view the contents of the file as administrator however, when i try to login as the user i get the Access Denied roaming profile error?

i'm sure there's a simple soulution to this but there dosn't seem to be much documentation i can find on the subject of giving back ownership.

Thanks in advance,
Jon
0
Comment
Question by:jonbillingsley
  • 2
4 Comments
 
LVL 2

Expert Comment

by:littlebuddah
ID: 11903270
You don't need to give the user ownership, just full rights, leave ownership with the admin account.  To negate this problem pre-create the base folder in the location you have specified and give the user full rights before they log on for the first time.
0
 
LVL 18

Expert Comment

by:exx1976
ID: 11909709
Not so...   The owner of the profile directory, for TS, needs to be either the ADMINISTRATORS group, or it needs to be the user who's profile it is.

In our environment, we do the following:

Use subinacl to give ownership, and use xcacls to grant access to the file to both SYSTEM and Domain Admins.

Subinacl is a freely downloadable tool from MS, as is XCACLS.  I believe they are both part of the support tools.

example usage for subinacl:

subinacl /noverbose /file c:\profiles\%username% /SETOWNER=%username%

Replace %username% with the username who's profile you are trying to fix...

Also make sure they the NTFS and Share permissions are set correctly on the parent share folder...

HTH,
exx1976
0
 

Author Comment

by:jonbillingsley
ID: 11911566
thanks exx1976,

would you be able to tell me these permissions?
0
 
LVL 18

Accepted Solution

by:
exx1976 earned 150 total points
ID: 11913889
Sure thing.  Here are the EXACT permissions that I grant in my environment, as well as the correct syntax to use XCACLS.

xcacls \\server\share\%USERNAME% /T /G SYSTEM:F "%DOMAIN%\DOMAIN ADMINS":F %USERNAME%:C /Y

The line above, if you change %USERNAME% and %DOMAIN% to be correct for your environment, will grant full access to the SYSTEM, full access to the DOMAIN ADMINS group, and change permissions to the user.

On the parent share, you should have the share permissions set to everyone full control, and the NTFS permissions should be set to READ for Domain Users, and FULL CONTROL for SYSTEM and DOMAIN ADMINS.

Then, they are able to list the directory structure of the profiles directory, and then with the change permissions on their own directory, they are able to access it.

Let me know if there's anything else I can do to help.

exx
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now