Solved

Terminal Services Home Folder path does not inherit the parent folder permissions in Windows Server 2003

Posted on 2008-10-03
4
1,011 Views
Last Modified: 2012-05-05
The subject says it all. What happence is i create a new user in AD ad the first time they log on to citrix there profile is created in \\server1\citrixprofiles

These newly created folders are not checked to inherit permisions and are help desk tech needs access to thes profiles. the help desk tech is has permisions set at citrixprofiles. There is a MS artical on this # 875535 http://support.microsoft.com/kb/875535/en-us

But when i spoke to MS on this they said the hotfix should gave been included with SP1 and I am running SP2. They also said to go ahead and run it IT SHOULDN'T hurt anything. That makes me feel real comfortable. I was wondering if anyone else has had any similar problems and can lead me on the path to fix this. I know that i can just go on to the system and check inherit permisions on my own but we would really like this resolved
0
Comment
Question by:mystics7
  • 2
  • 2
4 Comments
 
LVL 2

Expert Comment

by:Ron9909
ID: 22641575
Hmm - this article is about TS Home directories...are you trying to give your technicians access to the profile or the home dir?  

If profile, the behaviour you are seeing is by design - the system will create the TS Profile with permissions suitable for the user, meaning not inheriting permissions from the parent folder.  If you want your helpdesk staff to have permissions to the user's profile, you can set the "Add the Administrator security group to the roaming user profile share" setting in the GPO that applies to the user/server.  
[Computer Configuration\Administrative Templates\System\ User Profiles]

There is also another setting under Windows Components\Terminal Server that allows you to set a location for TS Profiles (i.e. the parent folder) - this means you don't have to set a location in the user object, and may save you time if you are manually creating users...

Hope this helps!

0
 
LVL 9

Author Comment

by:mystics7
ID: 22651637
I'm trying to give them access to the profile that is created when the end user first logs on. The first time the user logs on the profile fodler is created only with the local admin, system and the users account having permisions, The check box to inherit permisions is not checked by default and i must go in and manually check this. are help desk techs are not part of the domain or local admin groups on any server. We have a Group called PC Support for are techs and they have access at the parent folder of profiles. If i put that click the check box then all permisions are then applied to the end users profile folder. I know the article from MS says home folder but it is the same exact problem only on the profile folder
0
 
LVL 2

Accepted Solution

by:
Ron9909 earned 500 total points
ID: 22655127
Ok - the problem is that yout techs aren't admins.  If they were you could use the GP setting Imentioned before.  The behaviour you are seeing with profile creation is by design.  When the system creates the profile folder, it won't inherit permissions from the parent.  I think what you will need to do is create a script to either replace permissions on all the newly created profile directories (Xcacls will allow you to grant an additional user permissions to a folder  - http://support.microsoft.com/kb/318754), or you could script creation of the profile directories in advance and allocate whatever permissions you wanted.
0
 
LVL 9

Author Closing Comment

by:mystics7
ID: 31502817
Thank you for your help! that worked
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question