We help IT Professionals succeed at work.

What are the NTFS and Share permissions for PROFILES folder (for roaming profiles)

itbamiami
itbamiami used Ask the Experts™
on
Hello everyone.

I am currently testing the use of roaming profiles in our company and I am having some problems with the permissions which allows the users to see another uses profile.

My scenario:

Created a "PROFILES" folder on the root of our storage device and shared as "PROFILES$."
Created 3 test accounts in AD (server 2003) in their own "TEST" OU.
Created a global security group called "Roaming Profiles" which the 3 users are members as well as domain admins group.
PROFILES$ share permissions are set to 'everyone' Change & Read
PROFILES$ NTFS 'everyone' read&execute, list folder contents, read.  The 'Roaming Profiles' group has Full Control.  Both apply to This folder, subfolders and files.
Enabled the GPO "Add the Administrators security group to roaming user profiles" under COMPUTER-POLICIES-ADMINISTRATIVE TEMPLATES-SYSTEM-USER PROFILES.  Assigned and enabled on the "TEST" OU.
Logged on/off as each user to create their roaming user profile folder.
When I browse \\server\PROFILES$\ from any of the logged on test accounts I can browse any of the other 2 available test accounts.
The system created test user profile folder for each user has the following security permissions:
test user - full control
server\administrators - full control
system - full control
The NTFS persmissions show the same three accounts and apply to This folder, subfolders and files.

NTFS permissions always throw me for a loop, but I would figure that server would be smart enough to lock down the profile folders unless I configured PROFILES$ share incorrectly and inheritence is messing everything up.

Thanks for the help.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2012

Commented:

Author

Commented:
thanks dariusq, I followed the steps from oregontechsupport which seems great and straight to the point yet I have no luck.

The users can see the other users folders.  What confuses me is that the users folders have the following NTFS permissions:

user account: FULL
server\administrators: FULL
SYSTEM: FULL
All have apply to: this folder, subfolders and files

It's not inheriting any permission and I have not checked the replace permission entires on all child objects...

the owner is server\administrator

and if i check effective permissions with any other AD account all effective  permissions are checked on.

NOTE that these are the default permissions that the server assigns the folders when they are created.
I am at a loss.
Top Expert 2012

Commented:
So, you should be able to go through the process of creating primary folder then when you create profiles the permissions are created automatically.
The owner should be the "CREATOR OWNER", like \\server\share\%username%, where %username% becomes the owner.

Are you sure you unticked the "Allow inheritable permissions to propagate to this object" on the Profile folder?

Here is another good link:
http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx 

Author

Commented:
@snusqubben, havent checked your advice yet but I did find out the following.

I removed the GPO that I created which is listed on my question and the users were not able to see the other users folders.  Neither can the Administrator or Domain Admins account.  

This is from the description of the GPO:

Note: In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

So for the Administrator on the server to look at the files I had to take ownership of it.

This makes no sense for two reasons:
1 - why would MS not automatically give the administrator accounts access to these folders?
&
2 - these accounts or members of the Domain Users account, why would enabling the GPO allow domain user accounts to see other folders if the GPO simply adds Administrator permissions?

so for now, disabling that GPO fixes my headaches.
Top Expert 2012
Commented:
Administrators do not have Ownership rights over a roaming profile or redirections this is a common practice

Author

Commented:
dariusq, thanks for clarifying, YET why if I enable the GPO "Add the Administrators security group to roaming user profiles" why does it give users the ability of seeing other user folders.

My other thought now is that they user local admins of the machines, this is needed because of a software requirement.  but that is local admin, not a domain admin.  I am out of the office but I'll try changing their local rights with the gpo enabled and see what happens.

thanks everyone.
Top Expert 2012
Commented:
Well if local admin rights they should not see the other user's folders.

Some where there is a permission issue

Commented:
Sounds like the server\admins is causing the problems.  If the user is part of the local admin group then they will have access.

Here is a link that should give you step by step instructions.  I believe I usually use everyone=full control on the share for the folder redirections and profiles.  My domain users are not local admins either.

By default the profiles folder should be restricted to only the user.  You did go into ADUC and set the roaming profiles on the account tab to something similar right?  \\server\profiles$\%username%

Kevin