Changing NTFS permissions on Roaming share
So I have inherited this network from another service company and it appears that the former admin didn't really understand group policy and NTFS permissions when it came to roaming profiles and such.
There is an existing GPO in place that points the terminal server profiles to this share. The profiles under this top share are all messed up as far as NTFS permissions go. Most profiles are not inheriting, the whole thing is just broken. My plan is to modify the actual profile share, with the proper settings, and push the settings down. Will this have any negative effect on the existing profiles? I have never had to correct something quite like this before.
Once I fix this I want to enable folder redirection for documents and desktop most likely. This part I'm not really concerned with. It's the first part of changing so many permissions on the profile share level. I can't afford to destroy everyone's profiles.
Does anyone see any problems with doing this?
The users are gettings errors when logging on sometimes about loading profiles and it looks like this is the first step to correct that.
Any other thoughts are welcomed.
There is an existing GPO in place that points the terminal server profiles to this share. The profiles under this top share are all messed up as far as NTFS permissions go. Most profiles are not inheriting, the whole thing is just broken. My plan is to modify the actual profile share, with the proper settings, and push the settings down. Will this have any negative effect on the existing profiles? I have never had to correct something quite like this before.
Once I fix this I want to enable folder redirection for documents and desktop most likely. This part I'm not really concerned with. It's the first part of changing so many permissions on the profile share level. I can't afford to destroy everyone's profiles.
Does anyone see any problems with doing this?
The users are gettings errors when logging on sometimes about loading profiles and it looks like this is the first step to correct that.
Any other thoughts are welcomed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My assumption was that the "pushed" change would take place on each user's root folder, not the share root.
DrUltima
DrUltima
ASKER
I have enabled roaming profiles before with these permissions.
- Administrators: Full Control; This folder, subfolders and files
- SYSTEM: Full Control; This folder, subfolders and files
- Authenticated Users: Create Folders/Append Data; This folder only
What if I changed the top share to these permissions and forced inheritance on the profiles folders beneath? You don't think this would work? What other permissions would you use for a roaming profile? You can't be creating the profile manually every time you create a new user.
- Administrators: Full Control; This folder, subfolders and files
- SYSTEM: Full Control; This folder, subfolders and files
- Authenticated Users: Create Folders/Append Data; This folder only
What if I changed the top share to these permissions and forced inheritance on the profiles folders beneath? You don't think this would work? What other permissions would you use for a roaming profile? You can't be creating the profile manually every time you create a new user.
When you create the user and the profile directory it is given user specific permissions.
ASKER
So you think changing the permission at the share level won't work? What would I have to do to correct this issue then? It's a big mess right now and I don't want to make things worse but I need to get this functioning as it should.
The last this you want to do is change the permissions on the base and push them down over all the profile directories!