NTFS Permissions on local copies of roaming profiles

Where do I restrict the permissions on local copies of roaming profiles folders that will be created in the future?

I have SBS2003 and approx ten WinXP Pro Clients, folder redirection and roaming profiles are both on.

So user X goes to user Y's workstation, logs on with his account x and then logs off.
Now user Y logs on his workstation with his account y and has reading rights to the profile from account x now on his drive under C:/Documents and Settings/UserXaccount

The folder on the server which holds the profiles have really tight permissions, not event the SBS2003 administrator can access it, though it backups and restores nicely from backup.

So the permissions from the server doesn't transmit nicely to the workstations. A local admin will always have the possiblity to take ownership of the files, I can live with that, I need my users to be local admins unfortunately.

But still:
Where do I restrict the permissions on local copies of romaing profiles folders that will be created in the future?


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What software do you have installed on the computers?
If it is just the basic software that comes with SBS and Microsoft Office, you should be able to remove the Domain users from the Local admin security group.
The SBS client install requires Admin rights on the desktops to install the software such as outlook and needs access to write to the registry, once the programs are installed you do not need to same abilities to write to the registry, and in general only need to read certain keys.
If you have a legacy program or a program that explicitly requires local admin rights you may be able to still reduce the rights of the user so that they do not have to be part of the Local Admin security group by using www.sysinternals.com using their Process explorer to find out which registry keys are used.


heck her to see programs that are badly written and unforgiveably require more rights then they should;

Hope this helps

David Houston
ola_erikAuthor Commented:
thank you for your answer,

They use Office including Outlook, Photoshop and CorelDraw. Some use dedicated apps for special printers. We use one old DOS app.

I agree with your description of the situation. Though I'm not employed by that particular company full time and me having to visit everytime they want to install a new demoversion of some custom app they use isn't really viable.

I've considered making them Powerusers, hoping this will lessen their access to the roaming profiles of other users, though this restricts their ability to install new applications. Only applications wich "does not alter the system files of windows" will be installed. Where this line is drawn is not clear.

You have a couple of options that you could do:
1) create a dedicated admin account for installing new software and hardware, this at least mitigates some of the problem

2) If they have a dedicated internet connection such as broadband you could remote desktop (RDP) into the server and change their permissions to domain admin for the limited time they require to install tthe application.

3) As the machine is XP Pro you could rdp directly to the desktop and make the change to local admin for a short period of time, and drop them back to power users or standard user privileges.

Hope this helps some more,

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:

On SBS, it's suggested that you don't include My Documents, Application Data or Desktop when configuring a Roaming Profile.  For files, you would instead use My Documents Folder Redirection, which would then keep all documents on the server is secured folders.  A wizard for Folder Redirection is on your Server under Users in the Server Management Console.

What items in the locally cached profile are of concern to you?

You should also follow the guidance from http://sbsurl.com/postinstall for other issues regarding Roaming Profiles.  Especially the configuration of the DFS ROOT which is required for SBS to handle the profiles correctly.  Following these guidelines will provide the you the information you need to create a GPO which will enable these settings for all users added in the future.

ola_erikAuthor Commented:

Hmm I'm not using GPOs actively yet, though I know they are there and can be quite powerful, thx for reminding me.
This means I'm not managing roaming profiles from the GPO settings but from the user settings, (typing a unique path for each user in their property window, profile tab. )

Its the desktop that is of immediate concern to me, "My documents" folder is included in the profile since I use folder redirection.

From where I stand, roaming profiles seem like a nice way to backup the desktop, favorites, application data etc. If these files are not in the roaming profile they are not backed up.

*will read up on the link you provided*
ola_erikAuthor Commented:
it should be:
the "My documents" folder  is _not_ included in the profile...

and nothing else :-)
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, you ARE using GPO's because the default configuration of SBS has about 10 of them that are active.  

And "My Documents" folder would NOT be included in the profile if you use folder redirection... it would place it in the \\SERVERNAME\USERS\%username% share.   When you say you are using "folder redirection", did you run the Configure My Documents Folder Redirection Wizard?  Because that would create a GPO that does this for you.

The reason that it's suggested that you don't include Desktop and Application Data in roaming profiles is that you are better off using folder redirection for these items.  They can tend to have large files in them and therefor it's not practical to have them "roam" because it could take quite a long time for people to log on and off.  The other advantage is that the files which are redirected to the server share are protected not only by your regular backups, but by Volume Shadow Copy Service which takes a snapshot of server shares each day at 7:00am and 12:00noon allowing users to revert back to a previous version from anywhere within about the last 30 days!

The service and the Shadow Copy clients are automatically installed when you follow the best practices method of adding workstaitons to your network (with http://<servername>/connectcomputer).  More info on VSS is here:
but remember you don't have to do any of this manual configuration on an SBS.

If you read through the PostInstall paper I linked above you'll understand this better.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.