We help IT Professionals succeed at work.

NTSF Permissions with roaming profile

I have a Windows 2003 server using roaming profiles. The student files are in folder 2, these are connected to thier rooming profiles. When they are logged into the system using thier profile, I would like the only folder they can see and have access to is foder B. Currently when the student is logged on to the profile, it can'd find the profile and when they log off it says it cannot save thier profile because it cannot find it. When they are logged into thier profile, when they go to network places the only thing I want them to be able to see and have access to is folder B. Can someone please help. If I want to be able to save to folder 2, does drive a, folder A and folder 1 also have too have write permissions or just read permissions.
drive a
      -folder A
             -folder 1
                     - folder 2
       - folder B
       - folder C
Watch Question

I'm not sure I fully understand what you are trying to do.

Do you mean that the student's files are in folder 2 or that students files are in folder 2?

How are you mapping to the roaming profile?  Is this a redirection on the local machine or is their folder on a network share?

Typically you might have:

(on the file server)

E:\Users might then be shared to be accessible via \\servername\users

So User4 might map to \\servername\users\Student\User4

The problem is that to see as far as User4 they need to be able to navigate through the parent folders.  Even if users are not supposed to be able to read other folders they are still displayed in explorer.

If that is what you are trying to prevent you should use Windows Server 2003 Access-based Enumeration: http://www.microsoft.com/downloads/details.aspx?FamilyId=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en

If a user doesn't have rights to see a folder it is now hidden.

Now if the user tries to move back all they will see is \\servername\users containing just one folder 'students' and that folder will just contain 'User4'.

Of course this only works if your NTFS permissions are set right in the first place.

If the above sounds like what you want to do give ABE a try; if not can you provide more information about what you are trying to achieve?


This is what i have.

Each student has a roaming profile:

The student logs into the roaming profile using a client computer. Some students are getting cant find user profile, some are getting cans save on log off.
When the students are logged into their profile, when the go to network places, I would like them to only be able to see and copy files from the \StudentLabs folder and \MPPro folder. The student runs an application on the computer that needs to access the \MPPro folder. I do not want the student to have access to anyones folder but their own.
Another problem I am having is when I log into the client computer as the client administrator, when I go to network places I can get into any folder I want to.

If a user is in two different groups. One group having just read permissions, the other group having full control, which permissions do they actually have?
Can anyone help?


Sorry stevek65 I'm still not sure how users are mapping to this profile - how are you setting this?  GPO or via AD user properties?

"If a user is in two different groups. One group having just read permissions, the other group having full control, which permissions do they actually have?"

Assuming that none of the groups is actively denied access they will use the most permissive - full control.


I am using active directory. I have tried many different options and seems that if I don't set the students with full control at the root level they can't find the roaming profiles.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.