Announcement

Collapse
No announcement yet.

Getting administrative rights on roaming profiles folder

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting administrative rights on roaming profiles folder

    Hey guys.

    I'm new to the forum, so I'm crossing my fingers and hoping for som guidance

    I have a 2003-server enviroment with AD, and I have rolled out a GPO to gain access for administrators to the roaming profiles folders on the server.
    I have used the administrative templates: "Add the Administrators security group to roaming user profiles" and the "Do not check for user ownership of Roaming Profile Folders"

    The challenge now is that I also want access to the roaming profiles that is already created (a few hundred), and as I understand this GPO only applies to the users that are created from now on...

    I have found that this can be done with som scripting, but I am really not into the scripting-business so I hope you guys have an idea as to how I can obtain this goal by using a GPO.

    Thanks in advance!

    Greetings from
    Petter
    Greetings from
    Petter C.
    Norway

  • #2
    Re: Getting administrative rights on roaming profiles folder

    Go to the root folder for the profiles, bring up the properties, go to the security tab, add an administrator account and give it full permissions, click ok to close out of all the windows. This should add the administrator account to all the profile folders with full permissions. As long as the child folders are configured to inherit permissions from the parent folder this will be the easiest and fastest way.

    Comment


    • #3
      Re: Getting administrative rights on roaming profiles folder

      I have tried this, but the problem is that the "user-folders" is owned by the user him/herselv, and to be able to change the persissions on the folders I need to take ownership of it...

      I would not be a problem to take ownership of all the folders I think, but for the user to be able to login afterwards, I have to give ownership back to the user again... and that is a bigger problem as we're speaking of a few hundred users

      Or am I missing something?

      Tnx

      Greetings from
      Petter
      Greetings from
      Petter C.
      Norway

      Comment


      • #4
        Re: Getting administrative rights on roaming profiles folder

        does the SYSTEM account have admin rights to the users' folders? if so, you can use this to grant the admin group the required permissions without changing the ownerships of the folders.
        This message represents the official view of the voices in my head

        Comment


        • #5
          Re: Getting administrative rights on roaming profiles folder

          No, unfortunately only the users have access permissions on the folders. I can see the folders, but not open them.

          -Petter
          Greetings from
          Petter C.
          Norway

          Comment


          • #6
            Re: Getting administrative rights on roaming profiles folder

            Well if that's the case then I can only think of one thing: add the administrator and the everyone group or the authenticated users group to the parent folder, grant the administrator ownership of the parent folder and have it propagate to the child folders. This will give you access to the folders and will allow your users to access the folders via the Everyone or Authenticated Users groups. Are you hiding the parent share with the $. If so, then nobody can browse the network and see the share so this should not present any security issue. you can then add each user to each profile and remove the Everyone or Authenticated Users group from the permissions. It's not the best solution but it will work. It's going to take a lot of time on your part, but when permissions get goofed up it often takes a lot of time and work to get them straightened out.

            Comment


            • #7
              Re: Getting administrative rights on roaming profiles folder

              I think Joe's suggestion may well be the only way forward but it doesn't mean it's a nice solution just one of them you have to do every now and then

              If I were in your situation I'd definitely get a full cacls assessment off each folder to determine exact permissions. You could probably get one of the users with roaming profiles to help you out if needed. I'd then probably run cacls using the old "/e /g: administrators:f" approach on the top folder and add "/t" on the end so it propergates down.

              I am fairly certain that if you've just let the accounts create their own profile folders that SYSTEM will be on there with admin rights. I think it's so that it can backup the folders but I could be wrong. Either way, definitely worth a look into further IMO
              This message represents the official view of the voices in my head

              Comment


              • #8
                Re: Getting administrative rights on roaming profiles folder

                Ok, so no GPO can solve this problem then...

                Well, I'll have a look into this as soon as I can guys, and I want to thank you for your efforts so far...

                Tnx alot.

                Greetings from
                Petter
                Greetings from
                Petter C.
                Norway

                Comment


                • #9
                  Re: Getting administrative rights on roaming profiles folder

                  Originally posted by torcar View Post
                  Ok, so no GPO can solve this problem then...
                  by default, no. However, the way I described is how we do it for our users with roaming profiles and it works fine.
                  This message represents the official view of the voices in my head

                  Comment


                  • #10
                    Re: Getting administrative rights on roaming profiles folder

                    We use treesize professional to have access to the roaming profiles.
                    Works like a charm.
                    [Powershell]
                    Start-DayDream
                    Set-Location Malibu Beach
                    Get-Drink
                    Lay-Back
                    Start-Sleep
                    ....
                    Wake-Up!
                    Resume-Service
                    Write-Warning
                    [/Powershell]

                    BLOG: Therealshrimp.blogspot.com

                    Comment


                    • #11
                      Re: Getting administrative rights on roaming profiles folder

                      You can add a GPO to "Add the Administrator security group to the roaming user profile share". However this only adds the group to new profiles. Old existing profiles will need to given permissions manually.
                      Please remember to leave positive reputation points (The Ying Yang Icon) if someone helps you.

                      Comment


                      • #12
                        Re: Getting administrative rights on roaming profiles folder

                        I have done some checking now...

                        Turns out two things...

                        1.
                        The SYSTEM account has access to the folders.
                        How do I exploit this?

                        2.
                        I have made a GPO to "Do not check for user ownership of Roaming Profile Folders"


                        I have tested on one account from a user that was created before I made the first GPO and now I can take ownership on his account and he can still login without any problems.

                        Question now is... Do I use the SYSTEM account to give administrators access as Graycat suggested, or do I take ownership over all the folders without giving ownership back to the users?

                        What do you guys recommend?


                        Greetings from
                        Petter C.
                        Norway

                        Comment

                        Working...
                        X