Roaming Profiles

Hey Guys,

Every time a user logs into a xp pro system with server 2003 profile.

The profile is copied from the server to the documents and settings folder.

Is there a way so that only the user to which that profile belongs to can access that folder when loggin into the computer locally or even on the domain, even is that user is the local administrator?

Please guide.
Who is Participating?
ChandarSConnect With a Mentor Commented:
Roaming Profiles on a user account.
Creating the default user profile prepares the environment to support Windows Vista profiles. Next, you need to configure a user account to have a roaming user profile and its roaming user profile path.
 Prepare a user account
1.      As a domain administrator, open the Active Directory Users and Computer management console from a Windows Server 2003 or Windows XP computer.
2.      Right-click the user account for which you want to configure a roaming user profile.
3.      Click the Profile tab. Type the network path you created in step 2 in the profile path text box. Add the text \%username%. For example, the profile path for user1 in the domain is \\finance\RUP\%username%.
Windows will replace the environment variable %username% with the logon name of the user. For example, if the logon name is user1 then Active Directory Users and Computers will replace %username% with the name user1. The full network path would be \\finance\RUP\user1.
4.      Click OK, and then close the Active Directory User and Computer management console.
 Prepare the roaming user profile location
1.      Create a new folder on a central fileserver. You will use this folder only for roaming user profiles. For example, you could use the folder name Profiles.
2.      Share the folder using a name suitable for your organization.
3.      Change the share permission to allow the Authenticated Users group the Full Control permission. For example, the finance department in has a dedicated server on which to store user profiles. The name of the folder is "Profiles" and the share name is RUP.
Windows creates the roaming user profile folder for the user and makes the user the owner of the folder.
Windows uses the ".v2" extension to distinguish between version 1 and version 2 profiles. Windows Server 2003, Windows XP, and Windows 2000 author version 1 profiles. You store these profiles in a folder with a name that matches the logon name of the user account. Windows Vista authors version 2 profiles. You store version 2 profiles in a folder with the first part of the folder name matching the logon name of the user followed by ".v2".
 Log on as the user
1.      Log on to a Windows Vista workstation with the domain user account you configured in the Prepare a user account procedure.
2.      Log off the computer.
Windows populates the roaming user profile when the user logs off for the first time. It will resolve the changes in the profile with each subsequent logoff. The folder you previously created has the contents of that user's roaming user profile.
Do not add ".v2" to the profile path of the user object in Active Directory Users and Computers. Doing so may prevent Windows Vista from locating the roaming or mandatory profile. You should only apply the ".v2" suffix to the name of the user folder on the central file server
It is acceptable to use the existing server and file share where you store your current roaming user profiles. However, each user will have two roaming profile folders, one for Windows Vista and one for Windows XP. The added folder also means additional storage requirements for the server. Ensure the drive hosting the share has adequate free space, and adjust any disk quota policies appropriately.

Chandar Singh
Mike KlineCommented:
Not that I know of, if they are an administrator then they will be able to take ownership if they really want access to the data.  That is why you have to limit administrators.
If they are set as a local administrator they will be able to access all local folders. You have to remove the local admin privs.
Normally you don't want to deny administrators access to profile folders. If the user gets an issue with the profile it will be a lot harder for you to troubleshoot.

Keep it simple - set a standard and don't make any exceptions.
Also, the administrators should be aware that peeking in other users "private" folders is a no-no. Many countries even have national laws that forbidd you from doing so.

Trust your employees and coworkers.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.