Solved

What permissions are necessary on the Roaming Profile Folder?

Posted on 2013-05-21
7
329 Views
Last Modified: 2014-07-28
I am having to set up my Roaming Profile folder manually as this is not automated in SBS2011.  I appear to have got as far as the folder being created but when you log into the share as the user, they can view all other profiles - this is not right.

I have followed this article - http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

But this did not help create the folder.  

I followed another article which suggested adding Authenticated Users, I am not sure if this is what helped create the folder.  What I need is somebody who has this working in their environment to tell me what permissions they have on both the share and the folder.  Unfortunately, articles are not helping me.
0
Comment
Question by:fuzzyfreak
  • 5
  • 2
7 Comments
 
LVL 5

Expert Comment

by:Robert_Turner
ID: 39184203
I presume you have setup a new share for this purpose, something along the lines of \\Server\Profiles

Users should have the permissions to be able to view the folder with the profiles in, that is a requirement, or the desktop will not be able to see the folders, the permissions should let the user in question have the permission to work with that folder and subfolders.

The articles are correct and they are the permissions you should use, although I tend to from this article for reference.

http://technet.microsoft.com/en-us/library/cc757013(v=ws.10).aspx

If the folders are created allready, you may have to manually make the user the owner of that folder, as the permissions as designed to the Creator/Owner full control of subfolders, in the profile share, that they are creator or owner of.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39184537
First thing I should point out is that my profile folder sits beneath the Users folder. This folder has no permissions associated to it, however it is where my folder redirections are too and these work perfectly.  Having checked that I do indeed have the permissions stated in that article, it is still not working.  The Event Viewer states Access Denied and if you try to create a file on the share from the user's login, you can't.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39184568
The problem with table 7.8 is the part that says "Security group of users needing to put data on share" - it is not specific - what permissions should the share have?
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39187063
Has anybody got any more ideas on this as I am now reverting back to giving Domain Users read/write/create permissions on the profile folder to resolve this, thus giving them the ability to view/change any folder within the profile folder - not good security practice.
0
 
LVL 5

Expert Comment

by:Robert_Turner
ID: 39244209
You say your existing user folder has no permission on it, have you forced through the permissions so that the subfolders use inheritance.  You may have to force ownership on each subfolder to each user to sort the permissions out, as typically the permissions would be assigned when the user is created.
0
 
LVL 4

Accepted Solution

by:
fuzzyfreak earned 0 total points
ID: 39244909
I think I sussed this out -

Top level profile folder needs the following security -

Domain Users - traverse, list, read, read extended, create files, create folders, write attributes, write extended
Domain Admins/system/creator owner - full control

Individual user profile folder -
User/system/domain admins - full control

User profile share -
Domain admins full control
Domain users change

Still needs tidying up but this seemed to work.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40223700
I worked this out myself.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now