NTFS Permissions on local copies of roaming profiles

Posted on 2006-04-26
Last Modified: 2008-02-01
Where do I restrict the permissions on local copies of roaming profiles folders that will be created in the future?

I have SBS2003 and approx ten WinXP Pro Clients, folder redirection and roaming profiles are both on.

So user X goes to user Y's workstation, logs on with his account x and then logs off.
Now user Y logs on his workstation with his account y and has reading rights to the profile from account x now on his drive under C:/Documents and Settings/UserXaccount

The folder on the server which holds the profiles have really tight permissions, not event the SBS2003 administrator can access it, though it backups and restores nicely from backup.

So the permissions from the server doesn't transmit nicely to the workstations. A local admin will always have the possiblity to take ownership of the files, I can live with that, I need my users to be local admins unfortunately.

But still:
Where do I restrict the permissions on local copies of romaing profiles folders that will be created in the future?


Question by:ola_erik
    LVL 8

    Expert Comment

    What software do you have installed on the computers?
    If it is just the basic software that comes with SBS and Microsoft Office, you should be able to remove the Domain users from the Local admin security group.
    The SBS client install requires Admin rights on the desktops to install the software such as outlook and needs access to write to the registry, once the programs are installed you do not need to same abilities to write to the registry, and in general only need to read certain keys.
    If you have a legacy program or a program that explicitly requires local admin rights you may be able to still reduce the rights of the user so that they do not have to be part of the Local Admin security group by using using their Process explorer to find out which registry keys are used.

    heck her to see programs that are badly written and unforgiveably require more rights then they should;

    Hope this helps

    David Houston
    LVL 3

    Author Comment

    thank you for your answer,

    They use Office including Outlook, Photoshop and CorelDraw. Some use dedicated apps for special printers. We use one old DOS app.

    I agree with your description of the situation. Though I'm not employed by that particular company full time and me having to visit everytime they want to install a new demoversion of some custom app they use isn't really viable.

    I've considered making them Powerusers, hoping this will lessen their access to the roaming profiles of other users, though this restricts their ability to install new applications. Only applications wich "does not alter the system files of windows" will be installed. Where this line is drawn is not clear.

    LVL 8

    Expert Comment

    You have a couple of options that you could do:
    1) create a dedicated admin account for installing new software and hardware, this at least mitigates some of the problem

    2) If they have a dedicated internet connection such as broadband you could remote desktop (RDP) into the server and change their permissions to domain admin for the limited time they require to install tthe application.

    3) As the machine is XP Pro you could rdp directly to the desktop and make the change to local admin for a short period of time, and drop them back to power users or standard user privileges.

    Hope this helps some more,

    LVL 74

    Expert Comment

    by:Jeffrey Kane - TechSoEasy

    On SBS, it's suggested that you don't include My Documents, Application Data or Desktop when configuring a Roaming Profile.  For files, you would instead use My Documents Folder Redirection, which would then keep all documents on the server is secured folders.  A wizard for Folder Redirection is on your Server under Users in the Server Management Console.

    What items in the locally cached profile are of concern to you?

    You should also follow the guidance from for other issues regarding Roaming Profiles.  Especially the configuration of the DFS ROOT which is required for SBS to handle the profiles correctly.  Following these guidelines will provide the you the information you need to create a GPO which will enable these settings for all users added in the future.

    LVL 3

    Author Comment


    Hmm I'm not using GPOs actively yet, though I know they are there and can be quite powerful, thx for reminding me.
    This means I'm not managing roaming profiles from the GPO settings but from the user settings, (typing a unique path for each user in their property window, profile tab. )

    Its the desktop that is of immediate concern to me, "My documents" folder is included in the profile since I use folder redirection.

    From where I stand, roaming profiles seem like a nice way to backup the desktop, favorites, application data etc. If these files are not in the roaming profile they are not backed up.

    *will read up on the link you provided*
    LVL 3

    Author Comment

    it should be:
    the "My documents" folder  is _not_ included in the profile...

    and nothing else :-)
    LVL 74

    Accepted Solution

    Well, you ARE using GPO's because the default configuration of SBS has about 10 of them that are active.  

    And "My Documents" folder would NOT be included in the profile if you use folder redirection... it would place it in the \\SERVERNAME\USERS\%username% share.   When you say you are using "folder redirection", did you run the Configure My Documents Folder Redirection Wizard?  Because that would create a GPO that does this for you.

    The reason that it's suggested that you don't include Desktop and Application Data in roaming profiles is that you are better off using folder redirection for these items.  They can tend to have large files in them and therefor it's not practical to have them "roam" because it could take quite a long time for people to log on and off.  The other advantage is that the files which are redirected to the server share are protected not only by your regular backups, but by Volume Shadow Copy Service which takes a snapshot of server shares each day at 7:00am and 12:00noon allowing users to revert back to a previous version from anywhere within about the last 30 days!

    The service and the Shadow Copy clients are automatically installed when you follow the best practices method of adding workstaitons to your network (with http://<servername>/connectcomputer).  More info on VSS is here:
    but remember you don't have to do any of this manual configuration on an SBS.

    If you read through the PostInstall paper I linked above you'll understand this better.


    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    This guide is intended for migrating Windows 2003 Standard with Exchange 2003 to Windows Small Business Server 2008. You will need the following: Exchange Best Practice Analyzer:…
    The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now