Solved

What permissions are necessary on the Roaming Profile Folder?

Posted on 2013-05-21
7
355 Views
Last Modified: 2014-07-28
I am having to set up my Roaming Profile folder manually as this is not automated in SBS2011.  I appear to have got as far as the folder being created but when you log into the share as the user, they can view all other profiles - this is not right.

I have followed this article - http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

But this did not help create the folder.  

I followed another article which suggested adding Authenticated Users, I am not sure if this is what helped create the folder.  What I need is somebody who has this working in their environment to tell me what permissions they have on both the share and the folder.  Unfortunately, articles are not helping me.
0
Comment
Question by:fuzzyfreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 5

Expert Comment

by:Robert_Turner
ID: 39184203
I presume you have setup a new share for this purpose, something along the lines of \\Server\Profiles

Users should have the permissions to be able to view the folder with the profiles in, that is a requirement, or the desktop will not be able to see the folders, the permissions should let the user in question have the permission to work with that folder and subfolders.

The articles are correct and they are the permissions you should use, although I tend to from this article for reference.

http://technet.microsoft.com/en-us/library/cc757013(v=ws.10).aspx

If the folders are created allready, you may have to manually make the user the owner of that folder, as the permissions as designed to the Creator/Owner full control of subfolders, in the profile share, that they are creator or owner of.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39184537
First thing I should point out is that my profile folder sits beneath the Users folder. This folder has no permissions associated to it, however it is where my folder redirections are too and these work perfectly.  Having checked that I do indeed have the permissions stated in that article, it is still not working.  The Event Viewer states Access Denied and if you try to create a file on the share from the user's login, you can't.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39184568
The problem with table 7.8 is the part that says "Security group of users needing to put data on share" - it is not specific - what permissions should the share have?
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39187063
Has anybody got any more ideas on this as I am now reverting back to giving Domain Users read/write/create permissions on the profile folder to resolve this, thus giving them the ability to view/change any folder within the profile folder - not good security practice.
0
 
LVL 5

Expert Comment

by:Robert_Turner
ID: 39244209
You say your existing user folder has no permission on it, have you forced through the permissions so that the subfolders use inheritance.  You may have to force ownership on each subfolder to each user to sort the permissions out, as typically the permissions would be assigned when the user is created.
0
 
LVL 4

Accepted Solution

by:
fuzzyfreak earned 0 total points
ID: 39244909
I think I sussed this out -

Top level profile folder needs the following security -

Domain Users - traverse, list, read, read extended, create files, create folders, write attributes, write extended
Domain Admins/system/creator owner - full control

Individual user profile folder -
User/system/domain admins - full control

User profile share -
Domain admins full control
Domain users change

Still needs tidying up but this seemed to work.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40223700
I worked this out myself.
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question