Announcement

Collapse
No announcement yet.

Getting administrative rights on roaming profiles folder

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • torcar
    started a topic Getting administrative rights on roaming profiles folder

    Getting administrative rights on roaming profiles folder

    Hey guys.

    I'm new to the forum, so I'm crossing my fingers and hoping for som guidance

    I have a 2003-server enviroment with AD, and I have rolled out a GPO to gain access for administrators to the roaming profiles folders on the server.
    I have used the administrative templates: "Add the Administrators security group to roaming user profiles" and the "Do not check for user ownership of Roaming Profile Folders"

    The challenge now is that I also want access to the roaming profiles that is already created (a few hundred), and as I understand this GPO only applies to the users that are created from now on...

    I have found that this can be done with som scripting, but I am really not into the scripting-business so I hope you guys have an idea as to how I can obtain this goal by using a GPO.

    Thanks in advance!

    Greetings from
    Petter

  • torcar
    replied
    Re: Getting administrative rights on roaming profiles folder

    I have done some checking now...

    Turns out two things...

    1.
    The SYSTEM account has access to the folders.
    How do I exploit this?

    2.
    I have made a GPO to "Do not check for user ownership of Roaming Profile Folders"


    I have tested on one account from a user that was created before I made the first GPO and now I can take ownership on his account and he can still login without any problems.

    Question now is... Do I use the SYSTEM account to give administrators access as Graycat suggested, or do I take ownership over all the folders without giving ownership back to the users?

    What do you guys recommend?


    Leave a comment:


  • ]SK[
    replied
    Re: Getting administrative rights on roaming profiles folder

    You can add a GPO to "Add the Administrator security group to the roaming user profile share". However this only adds the group to new profiles. Old existing profiles will need to given permissions manually.

    Leave a comment:


  • Killerbe
    replied
    Re: Getting administrative rights on roaming profiles folder

    We use treesize professional to have access to the roaming profiles.
    Works like a charm.

    Leave a comment:


  • graycat
    replied
    Re: Getting administrative rights on roaming profiles folder

    Originally posted by torcar View Post
    Ok, so no GPO can solve this problem then...
    by default, no. However, the way I described is how we do it for our users with roaming profiles and it works fine.

    Leave a comment:


  • torcar
    replied
    Re: Getting administrative rights on roaming profiles folder

    Ok, so no GPO can solve this problem then...

    Well, I'll have a look into this as soon as I can guys, and I want to thank you for your efforts so far...

    Tnx alot.

    Greetings from
    Petter

    Leave a comment:


  • graycat
    replied
    Re: Getting administrative rights on roaming profiles folder

    I think Joe's suggestion may well be the only way forward but it doesn't mean it's a nice solution just one of them you have to do every now and then

    If I were in your situation I'd definitely get a full cacls assessment off each folder to determine exact permissions. You could probably get one of the users with roaming profiles to help you out if needed. I'd then probably run cacls using the old "/e /g: administrators:f" approach on the top folder and add "/t" on the end so it propergates down.

    I am fairly certain that if you've just let the accounts create their own profile folders that SYSTEM will be on there with admin rights. I think it's so that it can backup the folders but I could be wrong. Either way, definitely worth a look into further IMO

    Leave a comment:


  • joeqwerty
    replied
    Re: Getting administrative rights on roaming profiles folder

    Well if that's the case then I can only think of one thing: add the administrator and the everyone group or the authenticated users group to the parent folder, grant the administrator ownership of the parent folder and have it propagate to the child folders. This will give you access to the folders and will allow your users to access the folders via the Everyone or Authenticated Users groups. Are you hiding the parent share with the $. If so, then nobody can browse the network and see the share so this should not present any security issue. you can then add each user to each profile and remove the Everyone or Authenticated Users group from the permissions. It's not the best solution but it will work. It's going to take a lot of time on your part, but when permissions get goofed up it often takes a lot of time and work to get them straightened out.

    Leave a comment:


  • torcar
    replied
    Re: Getting administrative rights on roaming profiles folder

    No, unfortunately only the users have access permissions on the folders. I can see the folders, but not open them.

    -Petter

    Leave a comment:


  • graycat
    replied
    Re: Getting administrative rights on roaming profiles folder

    does the SYSTEM account have admin rights to the users' folders? if so, you can use this to grant the admin group the required permissions without changing the ownerships of the folders.

    Leave a comment:


  • torcar
    replied
    Re: Getting administrative rights on roaming profiles folder

    I have tried this, but the problem is that the "user-folders" is owned by the user him/herselv, and to be able to change the persissions on the folders I need to take ownership of it...

    I would not be a problem to take ownership of all the folders I think, but for the user to be able to login afterwards, I have to give ownership back to the user again... and that is a bigger problem as we're speaking of a few hundred users

    Or am I missing something?

    Tnx

    Greetings from
    Petter

    Leave a comment:


  • joeqwerty
    replied
    Re: Getting administrative rights on roaming profiles folder

    Go to the root folder for the profiles, bring up the properties, go to the security tab, add an administrator account and give it full permissions, click ok to close out of all the windows. This should add the administrator account to all the profile folders with full permissions. As long as the child folders are configured to inherit permissions from the parent folder this will be the easiest and fastest way.

    Leave a comment:

Working...
X