Keeping TS roaming profile directory clean

Having created a Group Policy for TS roaming profiles (and home directories) and having set the appropriate NTFS permissions as said by MS, I find that, if there's a user that is smart enough to find the hidden share, the user can create his/her own directory in the profile directory. After the user has created this directory he/she has full access to that directory.

Is there a way to prevent this?
Share is hidden, but seen for every user that has a share to the home directory.

Another minor detail: All profile & home directories are made with the .domainname extended to it, why? The profiles & directories are all new, so it isnt a matter of corruption or transition.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I may be way off, but what if you put their roaming profile in a sub-directory, make sure they have write to the sub-directory and then remove their write authority to the "main-directory"?  On the server you would have:


The share would map to z:\roamprofiles  no users would have write to roamprofiles.  Each user would have write to their "user-idx" directory and the roaming profiles would be stored there.  I know that this is what we do for our home directories.
jbatavierAuthor Commented:
I will elaborate a bit more:

I have the \\Userdata$\Profiles\ directory. In that directory the profiles will be made, but automatically. For that to happen, the users need to have List folder \ create folder right on the Profiles directory.

Yes, I could remove the create folder right when all profiles have been made, but that 'destroys' the automation and would mean that I have to manually create a new profile for every new user.
You could create a process that runs "every so often" (once a day, once a week) that removes write.

However, if they have write, they have write.  There is nothing you can do to prevent them from writing there.  No matter how much you try and hide it, if they find it (which is not that hard).
jbatavierAuthor Commented:
Would you say running a logon script that renames the shares so they dont see the hidden share is a good idea?

Have you any thoughts on the domainname being added to the user directories?
jbatavierAuthor Commented:
I've renamed the shares through kixtart and encrypted the .kix file. Should be quite safe. Thanks for your help.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.