Permissions on Profiles Folder

Discussion in 'MCSE' started by Marko, Sep 17, 2003.

  1. Marko

    Marko Guest


    >-----Original Message-----
    >I am reviewing NTFS permissions on the folder that

    contains our roaming
    >profiles. Can anyone suggest the best practice for

    achieving:
    >A. Users only have access to their own profiles
    >B. Domain admins have full access to all profiles
    >Maybe you can check the attached screenshot to see if

    this is correct.
    >Many thanks to all
    >Testy
    >
    >



    Hello Testy (if that is indeed your real name)

    I don't want to undermine the LnL effort to answer your
    question. The Group Policy directive is correct but I
    will assume you don't know why.

    Being taught how to implement from these newsgroups is
    probably outside of the scope of what would be reasonable
    to ask because any good answer to your question would be
    many pages long and probably lead to even more questions
    requiring even more long answers.

    Can I suggest that you spend some time learning how to use
    Group Policies to Redirect Folders? This may mean buying
    some books and reading at length. Using roaming profiles
    is very slow to log on and off the network, whereas GPs
    and Folder Redirection is very quick; only changed files
    are synchronised and copied.
    Marko, Sep 17, 2003
    #1
    1. Advertising

  2. Marko

    Testy Guest

    Thanks for your very helpful reply Marko.

    Ive just taken over this network of 50 users, previously looked after by a
    complete moron. Every user (including temps "were" domain admins!!) . I
    guess the last guy didnt want to be bothered by users, and let them all do
    anything they wanted. The default domain GPO had never been touched.

    Im cleaning up a fair bit to say the least.

    I am planning to use group policy and folder redirection eventially, but
    need to research how folder redirection will affect the excisting data in
    everyones "My Documents", and especially laptop users (and offline files).

    Cheers again
    Testy




    "Marko" <> wrote in message
    news:0a0001c37cf1$ef8f89f0$...
    >
    > >-----Original Message-----
    > >I am reviewing NTFS permissions on the folder that

    > contains our roaming
    > >profiles. Can anyone suggest the best practice for

    > achieving:
    > >A. Users only have access to their own profiles
    > >B. Domain admins have full access to all profiles
    > >Maybe you can check the attached screenshot to see if

    > this is correct.
    > >Many thanks to all
    > >Testy
    > >
    > >

    >
    >
    > Hello Testy (if that is indeed your real name)
    >
    > I don't want to undermine the LnL effort to answer your
    > question. The Group Policy directive is correct but I
    > will assume you don't know why.
    >
    > Being taught how to implement from these newsgroups is
    > probably outside of the scope of what would be reasonable
    > to ask because any good answer to your question would be
    > many pages long and probably lead to even more questions
    > requiring even more long answers.
    >
    > Can I suggest that you spend some time learning how to use
    > Group Policies to Redirect Folders? This may mean buying
    > some books and reading at length. Using roaming profiles
    > is very slow to log on and off the network, whereas GPs
    > and Folder Redirection is very quick; only changed files
    > are synchronised and copied.
    >
    >
    Testy, Sep 18, 2003
    #2
    1. Advertising

  3. Marko

    Marko Guest


    >-----Original Message-----
    >Thanks for your very helpful reply Marko.
    >
    >Ive just taken over this network of 50 users, previously

    looked after by a
    >complete moron. Every user (including temps "were" domain

    admins!!) . I
    >guess the last guy didnt want to be bothered by users,

    and let them all do
    >anything they wanted. The default domain GPO had never

    been touched.
    >
    >Im cleaning up a fair bit to say the least.
    >
    >I am planning to use group policy and folder redirection

    eventially, but
    >need to research how folder redirection will affect the

    excisting data in
    >everyones "My Documents", and especially laptop users

    (and offline files).
    >
    >Cheers again
    >Testy
    >
    >


    Boy, you have a lot to do and a short time to learn it all
    in. Welcome to Windows networks 101 where you may learn
    some of the basics:


    OK - First things first:

    Make sure you have a backup with the System State and that
    you know how to restore if you have too (Learn the F8
    during startup, noting how to boot to Restore Active
    Directories).

    Make notes so you can undo anything that may have
    undesirable effects.

    Look at the Administrators and Domain Admin groups.
    Remove every account not used ONLY for server /
    workstation administration. Likely Administrator, Netshow
    and Exchange Admin type accounts will be the only ones
    left. Make sure guest is disabled.

    Go download the Microsoft Baseline Security Analyzer. You
    can pretty much do everything it recommends at this stage
    since it is likely to be better than the state of play at
    the moment.

    Determine how you could put every person into different
    groups that would correspond to the different network
    folders or shares being used.

    Work on making your network shares accessable by security
    groups and put users in those groups, as appropriate.
    Common rookie error is putting users in the security
    permissions when users belong to groups and groups control
    file / folder security. Much easier to manage when users
    leave the organisation or new users come in.

    For EXAMPLE, a folder called executive may have
    Administrators and System as Full Control, with security
    group Executive having Modify permissions. You may then
    add AdminStaff with Read access, if this is appropriate.
    Don't add Everyone permissions for anything - it isn't
    necessary and it is a little too relaxed. You can nearly
    always provide everyone on youe network the right File and
    Folder access by specifying the Domain Users group. If
    you were creating a network share for these files and
    folders, you would use either Executive with Full Control
    permissions on the share, or Domain Users with Full
    Control. Keep in mind, the file and folder security
    attributes will negate any extra permissions gained
    through the network share.

    Go to the Profile of a user account. Users normally have
    network drive, say U:, that would be mapped in each
    profile as \\servername\users$\%username% where servername
    is - you guest it! - the server netbios name, users$ is
    the share assigned to the users folder on the server, the
    $ makes it invisible when searching for shares on the
    server, and %username% will prompt the computer to replace
    this with the logon name of the user when creating a
    folder to use as U:. Try it; from the profile tab,
    Connect U: to \\servername\users$\%username%. If you have
    created a folder for users that is shared as users$ with
    permissions of full control for Domain Users, then a
    folder should be created for username and the permissions
    will include full control for username. Easy, eh?

    After you have sorted that mess out, open Active Directory
    Users and Computers. Choose the properties of the
    domain. Select the Group Policy tab at the top. With any
    luck, you only have a Default Domain policy. Now, User
    configuration, Windows Settings, Folder redirection. (I
    am doing this from memory, so it may not be 100% but you
    will get the idea). Choose the Properties of say Desktop,
    and choose to redirect this folder for everyone to
    \\servername\users$\%username%\system\desktop Everybodies
    desktop will be copied to their U:, in a folder called
    system\desktop that will be created when they logon.
    Their desktop profile from the machine they log into will
    be copied.

    You can do similar for the other folders when you are
    comfortable that you can recover profiles from
    workstations and copy them directly into these folders, if
    you have to.

    That's all for now. Kept me busy for 20 minutes; it will
    keep you busy all for most of next week I would think.

    Good luck.
    Marko, Sep 18, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Splibbilla
    Replies:
    0
    Views:
    684
    Splibbilla
    Mar 21, 2005
  2. licknlabia

    Re: Permissions on Profiles Folder

    licknlabia, Sep 17, 2003, in forum: MCSE
    Replies:
    0
    Views:
    450
    licknlabia
    Sep 17, 2003
  3. Laura A. Robinson

    Re: Permissions on Profiles Folder

    Laura A. Robinson, Sep 17, 2003, in forum: MCSE
    Replies:
    0
    Views:
    481
    Laura A. Robinson
    Sep 17, 2003
  4. John Smith

    Folder/File permissions

    John Smith, Mar 11, 2006, in forum: MCSE
    Replies:
    2
    Views:
    531
    Bigus Di┬ękus
    Mar 11, 2006
  5. xdocx
    Replies:
    3
    Views:
    3,519
Loading...

Share This Page