Permissions on Profiles Folder

>-----Original Message-----
>I am reviewing NTFS permissions on the folder that
contains our roaming
>profiles. Can anyone suggest the best practice for
achieving:
>A. Users only have access to their own profiles
>B. Domain admins have full access to all profiles
>Maybe you can check the attached screenshot to see if
this is correct.
>Many thanks to all
>Testy
>
>


Hello Testy (if that is indeed your real name)

I don't want to undermine the LnL effort to answer your
question. The Group Policy directive is correct but I
will assume you don't know why.

Being taught how to implement from these newsgroups is
probably outside of the scope of what would be reasonable
to ask because any good answer to your question would be
many pages long and probably lead to even more questions
requiring even more long answers.

Can I suggest that you spend some time learning how to use
Group Policies to Redirect Folders? This may mean buying
some books and reading at length. Using roaming profiles
is very slow to log on and off the network, whereas GPs
and Folder Redirection is very quick; only changed files
are synchronised and copied.

Marko

Thanks for your very helpful reply Marko.

Ive just taken over this network of 50 users, previously looked after by a
complete moron. Every user (including temps "were" domain admins!!) . I
guess the last guy didnt want to be bothered by users, and let them all do
anything they wanted. The default domain GPO had never been touched.

Im cleaning up a fair bit to say the least.

I am planning to use group policy and folder redirection eventially, but
need to research how folder redirection will affect the excisting data in
everyones "My Documents", and especially laptop users (and offline files).

Cheers again
Testy




"Marko" <> wrote in message
news:0a0001c37cf1$ef8f89f0$...
>
> >-----Original Message-----
> >I am reviewing NTFS permissions on the folder that
> contains our roaming
> >profiles. Can anyone suggest the best practice for
> achieving:
> >A. Users only have access to their own profiles
> >B. Domain admins have full access to all profiles
> >Maybe you can check the attached screenshot to see if
> this is correct.
> >Many thanks to all
> >Testy
> >
> >
>
>
> Hello Testy (if that is indeed your real name)
>
> I don't want to undermine the LnL effort to answer your
> question. The Group Policy directive is correct but I
> will assume you don't know why.
>
> Being taught how to implement from these newsgroups is
> probably outside of the scope of what would be reasonable
> to ask because any good answer to your question would be
> many pages long and probably lead to even more questions
> requiring even more long answers.
>
> Can I suggest that you spend some time learning how to use
> Group Policies to Redirect Folders? This may mean buying
> some books and reading at length. Using roaming profiles
> is very slow to log on and off the network, whereas GPs
> and Folder Redirection is very quick; only changed files
> are synchronised and copied.
>
>

Testy

>-----Original Message-----
>Thanks for your very helpful reply Marko.
>
>Ive just taken over this network of 50 users, previously
looked after by a
>complete moron. Every user (including temps "were" domain
admins!!) . I
>guess the last guy didnt want to be bothered by users,
and let them all do
>anything they wanted. The default domain GPO had never
been touched.
>
>Im cleaning up a fair bit to say the least.
>
>I am planning to use group policy and folder redirection
eventially, but
>need to research how folder redirection will affect the
excisting data in
>everyones "My Documents", and especially laptop users
(and offline files).
>
>Cheers again
>Testy
>
>

Boy, you have a lot to do and a short time to learn it all
in. Welcome to Windows networks 101 where you may learn
some of the basics:


OK - First things first:

Make sure you have a backup with the System State and that
you know how to restore if you have too (Learn the F8
during startup, noting how to boot to Restore Active
Directories).

Make notes so you can undo anything that may have
undesirable effects.

Look at the Administrators and Domain Admin groups.
Remove every account not used ONLY for server /
workstation administration. Likely Administrator, Netshow
and Exchange Admin type accounts will be the only ones
left. Make sure guest is disabled.

Go download the Microsoft Baseline Security Analyzer. You
can pretty much do everything it recommends at this stage
since it is likely to be better than the state of play at
the moment.

Determine how you could put every person into different
groups that would correspond to the different network
folders or shares being used.

Work on making your network shares accessable by security
groups and put users in those groups, as appropriate.
Common rookie error is putting users in the security
permissions when users belong to groups and groups control
file / folder security. Much easier to manage when users
leave the organisation or new users come in.

For EXAMPLE, a folder called executive may have
Administrators and System as Full Control, with security
group Executive having Modify permissions. You may then
add AdminStaff with Read access, if this is appropriate.
Don't add Everyone permissions for anything - it isn't
necessary and it is a little too relaxed. You can nearly
always provide everyone on youe network the right File and
Folder access by specifying the Domain Users group. If
you were creating a network share for these files and
folders, you would use either Executive with Full Control
permissions on the share, or Domain Users with Full
Control. Keep in mind, the file and folder security
attributes will negate any extra permissions gained
through the network share.

Go to the Profile of a user account. Users normally have
network drive, say U:, that would be mapped in each
profile as \\servername\users$\%username% where servername
is - you guest it! - the server netbios name, users$ is
the share assigned to the users folder on the server, the
$ makes it invisible when searching for shares on the
server, and %username% will prompt the computer to replace
this with the logon name of the user when creating a
folder to use as U:. Try it; from the profile tab,
Connect U: to \\servername\users$\%username%. If you have
created a folder for users that is shared as users$ with
permissions of full control for Domain Users, then a
folder should be created for username and the permissions
will include full control for username. Easy, eh?

After you have sorted that mess out, open Active Directory
Users and Computers. Choose the properties of the
domain. Select the Group Policy tab at the top. With any
luck, you only have a Default Domain policy. Now, User
configuration, Windows Settings, Folder redirection. (I
am doing this from memory, so it may not be 100% but you
will get the idea). Choose the Properties of say Desktop,
and choose to redirect this folder for everyone to
\\servername\users$\%username%\system\desktop Everybodies
desktop will be copied to their U:, in a folder called
system\desktop that will be created when they logon.
Their desktop profile from the machine they log into will
be copied.

You can do similar for the other folders when you are
comfortable that you can recover profiles from
workstations and copy them directly into these folders, if
you have to.

That's all for now. Kept me busy for 20 minutes; it will
keep you busy all for most of next week I would think.

Good luck.

Marko