Link to home
Create AccountLog in
Avatar of fuzzyfreak
fuzzyfreak

asked on

What permissions are necessary on the Roaming Profile Folder?

I am having to set up my Roaming Profile folder manually as this is not automated in SBS2011.  I appear to have got as far as the folder being created but when you log into the share as the user, they can view all other profiles - this is not right.

I have followed this article - http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx

But this did not help create the folder.  

I followed another article which suggested adding Authenticated Users, I am not sure if this is what helped create the folder.  What I need is somebody who has this working in their environment to tell me what permissions they have on both the share and the folder.  Unfortunately, articles are not helping me.
Avatar of Robert_Turner
Robert_Turner
Flag of United Kingdom of Great Britain and Northern Ireland image

I presume you have setup a new share for this purpose, something along the lines of \\Server\Profiles

Users should have the permissions to be able to view the folder with the profiles in, that is a requirement, or the desktop will not be able to see the folders, the permissions should let the user in question have the permission to work with that folder and subfolders.

The articles are correct and they are the permissions you should use, although I tend to from this article for reference.

http://technet.microsoft.com/en-us/library/cc757013(v=ws.10).aspx

If the folders are created allready, you may have to manually make the user the owner of that folder, as the permissions as designed to the Creator/Owner full control of subfolders, in the profile share, that they are creator or owner of.
Avatar of fuzzyfreak
fuzzyfreak

ASKER

First thing I should point out is that my profile folder sits beneath the Users folder. This folder has no permissions associated to it, however it is where my folder redirections are too and these work perfectly.  Having checked that I do indeed have the permissions stated in that article, it is still not working.  The Event Viewer states Access Denied and if you try to create a file on the share from the user's login, you can't.
The problem with table 7.8 is the part that says "Security group of users needing to put data on share" - it is not specific - what permissions should the share have?
Has anybody got any more ideas on this as I am now reverting back to giving Domain Users read/write/create permissions on the profile folder to resolve this, thus giving them the ability to view/change any folder within the profile folder - not good security practice.
You say your existing user folder has no permission on it, have you forced through the permissions so that the subfolders use inheritance.  You may have to force ownership on each subfolder to each user to sort the permissions out, as typically the permissions would be assigned when the user is created.
ASKER CERTIFIED SOLUTION
Avatar of fuzzyfreak
fuzzyfreak

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I worked this out myself.