• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

URGENT - Roaming Profiles Issue

We are using W2003 Server and have a folder called RoamingProfiles - we have users folders under that who's security settings are that to give the user listed in the AD full access to their roaming profile.  However it seems to only work if the user is a member of domain admins - it will not work as domain user only - obviously we don't want users to have admin rights across the domain.

HELP!!
0
Powerhousecomputing
Asked:
Powerhousecomputing
  • 5
  • 5
1 Solution
 
Steve KnightIT ConsultancyCommented:
Check the share permissions too.  I imagine they don;t have Full Control at the share level?
0
 
Steve KnightIT ConsultancyCommented:
The user may also need to be the owner of their profile directory too (can't remember specifically as it was a few years ago but I know I had to use a script with subinacl.exe from the login script to give the user ownership of their profile directory and home drive, though that may just have been to get quotas working).  I presume you are connectring them through a share "profiles$" or something in which case as long as they have Full Control to share and read access to the next level and you create the profile dir. for them as full control access all should work.

Steve
0
 
PowerhousecomputingAuthor Commented:
The RoamingProfiles folder is shared and everyone has full permissions
Each subfolder (each user's profile) is not shared but security is set for the user so that they have full access.
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
Steve KnightIT ConsultancyCommented:
I suggest you try one taking ownerhsip of the directory and files to the user (you can do this as them as they have full control) or take a look at subinacl.exe from the resource kit (downloadble from MS site).

subinacl /noverbose /subdirectories \\server\Profiles\%user%\*.* /setowner=domain\user
subinacl /noverbose /file \\server\Profiles\%user% /setowner=domain\user

Steve
0
 
PowerhousecomputingAuthor Commented:
I have take ownership on the subfolder but it makes no difference - still the profiles only work when the user is part of domain admins
0
 
Steve KnightIT ConsultancyCommented:
Fair enough.  Sounds like you have everything right.  Can the users access other things on the server OK, and if you map a drive to the location and check, as the user, that they do actually have permissions to the area?

When they are domain admins does it actually write their profile back into the directory etc?

http://www.microsoft.com/technet/archive/winntas/tips/techrep/decdown.mspx?mfr=true  is microsoft's "howto" which doesn't really tell us anything we don't know.

Steve
0
 
PowerhousecomputingAuthor Commented:
Yes they can access other ares with no problem and yes when they are domain admin they can write back
0
 
PowerhousecomputingAuthor Commented:
making them have local admin rights works - thanks!
0
 
Steve KnightIT ConsultancyCommented:
Sounds a bit odd but at least you are working, thanks for the points in any case.

Steve
0
 
PowerhousecomputingAuthor Commented:
actually..... it's not now!  i thought it was ok - all is back except for desktops - any ideas?  still only have unrestricted access if domain admins
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now