?
Solved

What permissions are necessary on the Roaming Profile Folder?

Posted on 2013-05-21
7
Medium Priority
?
371 Views
Last Modified: 2014-07-28
I am having to set up my Roaming Profile folder manually as this is not automated in SBS2011.  I appear to have got as far as the folder being created but when you log into the share as the user, they can view all other profiles - this is not right.

I have followed this article - http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

But this did not help create the folder.  

I followed another article which suggested adding Authenticated Users, I am not sure if this is what helped create the folder.  What I need is somebody who has this working in their environment to tell me what permissions they have on both the share and the folder.  Unfortunately, articles are not helping me.
0
Comment
Question by:fuzzyfreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 
LVL 5

Expert Comment

by:Robert_Turner
ID: 39184203
I presume you have setup a new share for this purpose, something along the lines of \\Server\Profiles

Users should have the permissions to be able to view the folder with the profiles in, that is a requirement, or the desktop will not be able to see the folders, the permissions should let the user in question have the permission to work with that folder and subfolders.

The articles are correct and they are the permissions you should use, although I tend to from this article for reference.

http://technet.microsoft.com/en-us/library/cc757013(v=ws.10).aspx

If the folders are created allready, you may have to manually make the user the owner of that folder, as the permissions as designed to the Creator/Owner full control of subfolders, in the profile share, that they are creator or owner of.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39184537
First thing I should point out is that my profile folder sits beneath the Users folder. This folder has no permissions associated to it, however it is where my folder redirections are too and these work perfectly.  Having checked that I do indeed have the permissions stated in that article, it is still not working.  The Event Viewer states Access Denied and if you try to create a file on the share from the user's login, you can't.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39184568
The problem with table 7.8 is the part that says "Security group of users needing to put data on share" - it is not specific - what permissions should the share have?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39187063
Has anybody got any more ideas on this as I am now reverting back to giving Domain Users read/write/create permissions on the profile folder to resolve this, thus giving them the ability to view/change any folder within the profile folder - not good security practice.
0
 
LVL 5

Expert Comment

by:Robert_Turner
ID: 39244209
You say your existing user folder has no permission on it, have you forced through the permissions so that the subfolders use inheritance.  You may have to force ownership on each subfolder to each user to sort the permissions out, as typically the permissions would be assigned when the user is created.
0
 
LVL 4

Accepted Solution

by:
fuzzyfreak earned 0 total points
ID: 39244909
I think I sussed this out -

Top level profile folder needs the following security -

Domain Users - traverse, list, read, read extended, create files, create folders, write attributes, write extended
Domain Admins/system/creator owner - full control

Individual user profile folder -
User/system/domain admins - full control

User profile share -
Domain admins full control
Domain users change

Still needs tidying up but this seemed to work.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 40223700
I worked this out myself.
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question