[Webinar] Streamline your web hosting managementRegister Today


Keeping TS roaming profile directory clean

Posted on 2008-02-02
Medium Priority
Last Modified: 2008-05-31
Having created a Group Policy for TS roaming profiles (and home directories) and having set the appropriate NTFS permissions as said by MS, I find that, if there's a user that is smart enough to find the hidden share, the user can create his/her own directory in the profile directory. After the user has created this directory he/she has full access to that directory.

Is there a way to prevent this?
Share is hidden, but seen for every user that has a share to the home directory.

Another minor detail: All profile & home directories are made with the .domainname extended to it, why? The profiles & directories are all new, so it isnt a matter of corruption or transition.
Question by:jbatavier
  • 3
  • 2
LVL 57

Expert Comment

ID: 20804211
I may be way off, but what if you put their roaming profile in a sub-directory, make sure they have write to the sub-directory and then remove their write authority to the "main-directory"?  On the server you would have:


The share would map to z:\roamprofiles  no users would have write to roamprofiles.  Each user would have write to their "user-idx" directory and the roaming profiles would be stored there.  I know that this is what we do for our home directories.

Author Comment

ID: 20804230
I will elaborate a bit more:

I have the \\Userdata$\Profiles\ directory. In that directory the profiles will be made, but automatically. For that to happen, the users need to have List folder \ create folder right on the Profiles directory.

Yes, I could remove the create folder right when all profiles have been made, but that 'destroys' the automation and would mean that I have to manually create a new profile for every new user.
LVL 57

Expert Comment

ID: 20804273
You could create a process that runs "every so often" (once a day, once a week) that removes write.

However, if they have write, they have write.  There is nothing you can do to prevent them from writing there.  No matter how much you try and hide it, if they find it (which is not that hard).

Author Comment

ID: 20804280
Would you say running a logon script that renames the shares so they dont see the hidden share is a good idea?

Have you any thoughts on the domainname being added to the user directories?

Accepted Solution

jbatavier earned 0 total points
ID: 20804564
I've renamed the shares through kixtart and encrypted the .kix file. Should be quite safe. Thanks for your help.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question