Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

NTFS Permissions on local copies of roaming profiles

Posted on 2006-04-26
7
Medium Priority
?
357 Views
Last Modified: 2008-02-01
Question:
Where do I restrict the permissions on local copies of roaming profiles folders that will be created in the future?


I have SBS2003 and approx ten WinXP Pro Clients, folder redirection and roaming profiles are both on.

So user X goes to user Y's workstation, logs on with his account x and then logs off.
Now user Y logs on his workstation with his account y and has reading rights to the profile from account x now on his drive under C:/Documents and Settings/UserXaccount

The folder on the server which holds the profiles have really tight permissions, not event the SBS2003 administrator can access it, though it backups and restores nicely from backup.

So the permissions from the server doesn't transmit nicely to the workstations. A local admin will always have the possiblity to take ownership of the files, I can live with that, I need my users to be local admins unfortunately.

But still:
Where do I restrict the permissions on local copies of romaing profiles folders that will be created in the future?

regards

Kristofer
0
Comment
Question by:ola_erik
  • 3
  • 2
  • 2
7 Comments
 
LVL 8

Expert Comment

by:dhoustonie
ID: 16557759
What software do you have installed on the computers?
If it is just the basic software that comes with SBS and Microsoft Office, you should be able to remove the Domain users from the Local admin security group.
The SBS client install requires Admin rights on the desktops to install the software such as outlook and needs access to write to the registry, once the programs are installed you do not need to same abilities to write to the registry, and in general only need to read certain keys.
If you have a legacy program or a program that explicitly requires local admin rights you may be able to still reduce the rights of the user so that they do not have to be part of the Local Admin security group by using www.sysinternals.com using their Process explorer to find out which registry keys are used.

http://www.sysinternals.com/Utilities/ProcessExplorer.html

heck her to see programs that are badly written and unforgiveably require more rights then they should;
http://www.threatcode.com/

Hope this helps

David Houston
0
 
LVL 3

Author Comment

by:ola_erik
ID: 16568435
thank you for your answer,

They use Office including Outlook, Photoshop and CorelDraw. Some use dedicated apps for special printers. We use one old DOS app.

I agree with your description of the situation. Though I'm not employed by that particular company full time and me having to visit everytime they want to install a new demoversion of some custom app they use isn't really viable.

I've considered making them Powerusers, hoping this will lessen their access to the roaming profiles of other users, though this restricts their ability to install new applications. Only applications wich "does not alter the system files of windows" will be installed. Where this line is drawn is not clear.









0
 
LVL 8

Expert Comment

by:dhoustonie
ID: 16569139
You have a couple of options that you could do:
1) create a dedicated admin account for installing new software and hardware, this at least mitigates some of the problem

2) If they have a dedicated internet connection such as broadband you could remote desktop (RDP) into the server and change their permissions to domain admin for the limited time they require to install tthe application.

3) As the machine is XP Pro you could rdp directly to the desktop and make the change to local admin for a short period of time, and drop them back to power users or standard user privileges.

Hope this helps some more,

David
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16572253
ola_erik,

On SBS, it's suggested that you don't include My Documents, Application Data or Desktop when configuring a Roaming Profile.  For files, you would instead use My Documents Folder Redirection, which would then keep all documents on the server is secured folders.  A wizard for Folder Redirection is on your Server under Users in the Server Management Console.

What items in the locally cached profile are of concern to you?

You should also follow the guidance from http://sbsurl.com/postinstall for other issues regarding Roaming Profiles.  Especially the configuration of the DFS ROOT which is required for SBS to handle the profiles correctly.  Following these guidelines will provide the you the information you need to create a GPO which will enable these settings for all users added in the future.

Jeff
TechSoEasy
0
 
LVL 3

Author Comment

by:ola_erik
ID: 16572668
TechSoEasy,

Hmm I'm not using GPOs actively yet, though I know they are there and can be quite powerful, thx for reminding me.
---------->
This means I'm not managing roaming profiles from the GPO settings but from the user settings, (typing a unique path for each user in their property window, profile tab. )

Its the desktop that is of immediate concern to me, "My documents" folder is included in the profile since I use folder redirection.

From where I stand, roaming profiles seem like a nice way to backup the desktop, favorites, application data etc. If these files are not in the roaming profile they are not backed up.

*will read up on the link you provided*
0
 
LVL 3

Author Comment

by:ola_erik
ID: 16572680
it should be:
the "My documents" folder  is _not_ included in the profile...

and nothing else :-)
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 1000 total points
ID: 16573679
Well, you ARE using GPO's because the default configuration of SBS has about 10 of them that are active.  

And "My Documents" folder would NOT be included in the profile if you use folder redirection... it would place it in the \\SERVERNAME\USERS\%username% share.   When you say you are using "folder redirection", did you run the Configure My Documents Folder Redirection Wizard?  Because that would create a GPO that does this for you.

The reason that it's suggested that you don't include Desktop and Application Data in roaming profiles is that you are better off using folder redirection for these items.  They can tend to have large files in them and therefor it's not practical to have them "roam" because it could take quite a long time for people to log on and off.  The other advantage is that the files which are redirected to the server share are protected not only by your regular backups, but by Volume Shadow Copy Service which takes a snapshot of server shares each day at 7:00am and 12:00noon allowing users to revert back to a previous version from anywhere within about the last 30 days!

The service and the Shadow Copy clients are automatically installed when you follow the best practices method of adding workstaitons to your network (with http://<servername>/connectcomputer).  More info on VSS is here:
http://www.windowsnetworking.com/articles_tutorials/Windows-Server-2003-Volume-Shadow-Copy-Service.html
but remember you don't have to do any of this manual configuration on an SBS.

If you read through the PostInstall paper I linked above you'll understand this better.

Jeff
TechSoEasy
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the event you manage a Small Business Server 2003, and you are audited for PCI compliance, there are several changes you must make in order to pass the audit. I can take no credit for discovering any of these fixes or workarounds, but there is no…
Microsoft Jet database engine errors can crop up out of nowhere to disrupt the working of the Exchange server. Decoding why a particular error occurs goes a long way in determining the right solution for it.
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses
Course of the Month11 days, 22 hours left to enroll

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question