Admin cannot access user profile folder.

Posted on 2010-01-05
Medium Priority
Last Modified: 2012-06-27
When we recently created a profile for a user they could login fine however we could not access their folder as admin within the server. If we added admin priviledges to the folder we could access it however the user could then no longer login correctly. Finally if we delete the folder and the user logs in then a new folder appears to which we as admin cannot access yet the user successfully logs in.

Any suggestions what this could be?

Regards, Rob
Question by:alumwell
LVL 17

Expert Comment

ID: 26179581
What are the permission on the root folder (folder above the user home folder).
You should give admin permissions to the root folder and propagate to every subfolder/files beneath it.
LVL 27

Expert Comment

ID: 26179662
Hi there,

We're talking romain profiles right? This is by design. The folder is created giving the user sole access to the folder for security reasons. If you take ownership and grant yourself access it wipes all previous permissions.

You can pre-create the folder with the required permissions and that will stop the system creating it with exclusive access to the user.

LVL 33

Expert Comment

ID: 26179668
"Finally if we delete the folder and the user logs in then a new folder appears to which we as admin cannot access yet the user successfully logs in. "  Are you trying this when the admin logs locally on the server?  or through a share?  

I would agree, this sounds like a permissions problem... I would guess that there is a share that is preventing the admin for accessing the data through the share.  However, if you try to access the data through an admin share (or locally), I think you might have access.  i.e. \\servername\d$ instead of \\servername\usershare.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 27

Expert Comment

ID: 26179671
romain = roaming (!)
LVL 28

Accepted Solution

peakpeak earned 1000 total points
ID: 26179683
Admins have no default access to roaming profiles. This is by design. To change that, read quinla01's tip:


Author Comment

ID: 26180519
We have found that you cannot pre-create the folder itself. PeakPeak points to the fact that it appears to be the workstations that create the profile folder in which permission would have to be granted there for the admins.

Is there any other solutions else I will accept peakpeaks answer, many thanks.
LVL 27

Expert Comment

ID: 26180749
You  can pre-create the folder in the share if you wish before the profile is created. If the folder already exists the computer will not create one or change permissions.

This will work to grant you access to one folder. If you want to grant yourself access to ALL users folders then use the GPO setting linked above.

I'm not sure that this will afftect existing folders as the permissions are set at creation time.


Assisted Solution

ARK-DS earned 1000 total points
ID: 26186337

I am assuming that we are talking about roaming profiles:
When the user profile is loaded, the owenership is checked. If the user is not the owener of the folder, the profile is not loaded and an error is displayed "The profile could not be loaded". You can controll this behaviour by a group policy :

Also, if you want to just see the contents of the folders, just do this: Take ownership of the folder,  (Make sure that the user does not log in during this), give yourself full rights on the folder and then give the ownership back to the original user. (Now the user can log in).
BUT: This is a bit risky as it created some issues 1 out of ten times when I did it in my test labs.



Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question