ola_erik
asked on
NTFS Permissions on local copies of roaming profiles
Question:
Where do I restrict the permissions on local copies of roaming profiles folders that will be created in the future?
I have SBS2003 and approx ten WinXP Pro Clients, folder redirection and roaming profiles are both on.
So user X goes to user Y's workstation, logs on with his account x and then logs off.
Now user Y logs on his workstation with his account y and has reading rights to the profile from account x now on his drive under C:/Documents and Settings/UserXaccount
The folder on the server which holds the profiles have really tight permissions, not event the SBS2003 administrator can access it, though it backups and restores nicely from backup.
So the permissions from the server doesn't transmit nicely to the workstations. A local admin will always have the possiblity to take ownership of the files, I can live with that, I need my users to be local admins unfortunately.
But still:
Where do I restrict the permissions on local copies of romaing profiles folders that will be created in the future?
regards
Kristofer
Where do I restrict the permissions on local copies of roaming profiles folders that will be created in the future?
I have SBS2003 and approx ten WinXP Pro Clients, folder redirection and roaming profiles are both on.
So user X goes to user Y's workstation, logs on with his account x and then logs off.
Now user Y logs on his workstation with his account y and has reading rights to the profile from account x now on his drive under C:/Documents and Settings/UserXaccount
The folder on the server which holds the profiles have really tight permissions, not event the SBS2003 administrator can access it, though it backups and restores nicely from backup.
So the permissions from the server doesn't transmit nicely to the workstations. A local admin will always have the possiblity to take ownership of the files, I can live with that, I need my users to be local admins unfortunately.
But still:
Where do I restrict the permissions on local copies of romaing profiles folders that will be created in the future?
regards
Kristofer
ASKER
thank you for your answer,
They use Office including Outlook, Photoshop and CorelDraw. Some use dedicated apps for special printers. We use one old DOS app.
I agree with your description of the situation. Though I'm not employed by that particular company full time and me having to visit everytime they want to install a new demoversion of some custom app they use isn't really viable.
I've considered making them Powerusers, hoping this will lessen their access to the roaming profiles of other users, though this restricts their ability to install new applications. Only applications wich "does not alter the system files of windows" will be installed. Where this line is drawn is not clear.
They use Office including Outlook, Photoshop and CorelDraw. Some use dedicated apps for special printers. We use one old DOS app.
I agree with your description of the situation. Though I'm not employed by that particular company full time and me having to visit everytime they want to install a new demoversion of some custom app they use isn't really viable.
I've considered making them Powerusers, hoping this will lessen their access to the roaming profiles of other users, though this restricts their ability to install new applications. Only applications wich "does not alter the system files of windows" will be installed. Where this line is drawn is not clear.
You have a couple of options that you could do:
1) create a dedicated admin account for installing new software and hardware, this at least mitigates some of the problem
2) If they have a dedicated internet connection such as broadband you could remote desktop (RDP) into the server and change their permissions to domain admin for the limited time they require to install tthe application.
3) As the machine is XP Pro you could rdp directly to the desktop and make the change to local admin for a short period of time, and drop them back to power users or standard user privileges.
Hope this helps some more,
David
1) create a dedicated admin account for installing new software and hardware, this at least mitigates some of the problem
2) If they have a dedicated internet connection such as broadband you could remote desktop (RDP) into the server and change their permissions to domain admin for the limited time they require to install tthe application.
3) As the machine is XP Pro you could rdp directly to the desktop and make the change to local admin for a short period of time, and drop them back to power users or standard user privileges.
Hope this helps some more,
David
ola_erik,
On SBS, it's suggested that you don't include My Documents, Application Data or Desktop when configuring a Roaming Profile. For files, you would instead use My Documents Folder Redirection, which would then keep all documents on the server is secured folders. A wizard for Folder Redirection is on your Server under Users in the Server Management Console.
What items in the locally cached profile are of concern to you?
You should also follow the guidance from http://sbsurl.com/postinstall for other issues regarding Roaming Profiles. Especially the configuration of the DFS ROOT which is required for SBS to handle the profiles correctly. Following these guidelines will provide the you the information you need to create a GPO which will enable these settings for all users added in the future.
Jeff
TechSoEasy
On SBS, it's suggested that you don't include My Documents, Application Data or Desktop when configuring a Roaming Profile. For files, you would instead use My Documents Folder Redirection, which would then keep all documents on the server is secured folders. A wizard for Folder Redirection is on your Server under Users in the Server Management Console.
What items in the locally cached profile are of concern to you?
You should also follow the guidance from http://sbsurl.com/postinstall for other issues regarding Roaming Profiles. Especially the configuration of the DFS ROOT which is required for SBS to handle the profiles correctly. Following these guidelines will provide the you the information you need to create a GPO which will enable these settings for all users added in the future.
Jeff
TechSoEasy
ASKER
TechSoEasy,
Hmm I'm not using GPOs actively yet, though I know they are there and can be quite powerful, thx for reminding me.
---------->
This means I'm not managing roaming profiles from the GPO settings but from the user settings, (typing a unique path for each user in their property window, profile tab. )
Its the desktop that is of immediate concern to me, "My documents" folder is included in the profile since I use folder redirection.
From where I stand, roaming profiles seem like a nice way to backup the desktop, favorites, application data etc. If these files are not in the roaming profile they are not backed up.
*will read up on the link you provided*
Hmm I'm not using GPOs actively yet, though I know they are there and can be quite powerful, thx for reminding me.
---------->
This means I'm not managing roaming profiles from the GPO settings but from the user settings, (typing a unique path for each user in their property window, profile tab. )
Its the desktop that is of immediate concern to me, "My documents" folder is included in the profile since I use folder redirection.
From where I stand, roaming profiles seem like a nice way to backup the desktop, favorites, application data etc. If these files are not in the roaming profile they are not backed up.
*will read up on the link you provided*
ASKER
it should be:
the "My documents" folder is _not_ included in the profile...
and nothing else :-)
the "My documents" folder is _not_ included in the profile...
and nothing else :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it is just the basic software that comes with SBS and Microsoft Office, you should be able to remove the Domain users from the Local admin security group.
The SBS client install requires Admin rights on the desktops to install the software such as outlook and needs access to write to the registry, once the programs are installed you do not need to same abilities to write to the registry, and in general only need to read certain keys.
If you have a legacy program or a program that explicitly requires local admin rights you may be able to still reduce the rights of the user so that they do not have to be part of the Local Admin security group by using www.sysinternals.com using their Process explorer to find out which registry keys are used.
http://www.sysinternals.com/Utilities/ProcessExplorer.html
heck her to see programs that are badly written and unforgiveably require more rights then they should;
http://www.threatcode.com/
Hope this helps
David Houston