• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 67
  • Last Modified:

Locking Down Roaming Profiles Issue

In my environment I have Students and Teachers / Staff all in their own groups for Roaming Profiles. All the permissions are setup so students are denied access to staff Roaming profiles just incase something freaks out and shows them the path.
My problem is the Students, I had a student that dragged an image file from their profile into Chrome and it gives them their full path to that file. Now if that student goes to File://domain/roamingprofile, they can access other students files and folder. I have been going crazy trying to figure out how to block or disable this from happening. I'm not sure if this is a permission issue or what it is. I installed the Chrome GPO and tried blocking those links, as well as putting them in my Firewall. I think even IE does it now, i just dont know where to turn to on this matter.

Permission is as followed for Students on their Students_Home folder and all their roaming profiles are within the Students_Home folder.

Creator Owner - Full Control
System - Full Control
Admins - Full Control
IT - Full Control
Students - "Special" "This Folder Only" "Deny" "List Folder / Read Data"
Students - "Special" "This Folder Only" "Allow" "Create Files / Write Data, Create Folders / Append Data"

Shared Permissions

Creator Owner - Full Control
Admins - Full Control
IT - Full Control
Students - Change
Garrett Dout
Garrett Dout
1 Solution
I didn't quite get the whole picture, but did you set up your permissions so that only Teacher1 has access to the home folder of Teacher1 and nobody else ? If permissions are set correctly, the path will not be accessible to anyone else (excluding admins).

You can even configure home folders for exclusive access (via GP), so that even admins cannot access users' home folders.
David Johnson, CD, MVPOwnerCommented:
Share Permission: Everyone Full control

Use the following settings for NTFS Permissions:
CREATOR OWNER - Full Control (Apply onto: Subfolders and Files Only)
System - Full Control (Apply onto: This Folder, Subfolders and Files)
Domain Admins - Full Control (Apply onto: This Folder, Subfolders and Files)  // I disagree with this one and should either not be there or this folder only
Everyone - Create Folder/Append Data (Apply onto: This Folder Only)
Everyone - List Folder/Read Data (Apply onto: This Folder Only)
Everyone - Read Attributes (Apply onto: This Folder Only)
Everyone - Traverse Folder/Execute File (Apply onto: This Folder Only)

 If you enable the setting to give the user exclusive access to the folder, you will override the inherited permissions and need to reset the ACL.
Garrett DoutAuthor Commented:
Thank you so much, i will change the permissions and see if it fixes my issues.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

David Johnson, CD, MVPOwnerCommented:
And the results are?
Garrett DoutAuthor Commented:
I didnt want to change the permissions till this Thursday when the students go on Christmas Break. Just incase I would have to reimport the data from Veeam for some reason.
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: David Johnson CD MVP (https:#a42386768)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now