Announcement

Collapse
No announcement yet.

Profiles folder permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Profiles folder permissions

    Hello everyone,

    Just wondering about the recommended permissions for the users profile folder, I usually let the share permissions open, and assign full control to the admins group and modify to each specific user.

    how about you ?

  • #2
    Re: Profiles folder permissions

    I would assign "Everyone: Full Control" on the Share, and the following NTFS permissions on each profile folder:

    Administrators (from local machine) : Full Control
    <user name> : Change (everything except full control ticked)

    On the folder where all the profiles reside, I would assign Administrators: full control. Any other permissions depend how their user accounts are configured - is it like this:

    Profile: \\server\profiles$\<user name>

    or is it like this:

    Profile: \\server\<username$>

    If it's the former, then add "Authenticated users: List Folder Contents" to the "Profiles" folder.

    If it's the latter, don't add any more permissions to the "Profiles" folder.


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

    Comment


    • #3
      Re: Profiles folder permissions

      Originally posted by Stonelaughter View Post
      Profile: \\server\profiles$\<user name>

      or is it like this:

      Profile: \\server\<username$>

      If it's the former, then add "Authenticated users: List Folder Contents" to the "Profiles" folder.

      If it's the latter, don't add any more permissions to the "Profiles" folder.
      First of all thanks for the prompt reply Stonelaughter, but why base your permissions on the UNC path? just wondering.

      Comment


      • #4
        Re: Profiles folder permissions

        If you have the user's Profil set to "\\server\profile$\<username>, they need "List Folder Contents" on the "Profiles" folder (shared as profile$) so that they can see their profile folder within it.

        If you share each profile as <username$> then they need no access at all to the folder it's in - they only need share access to their own profile folder.


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Profiles folder permissions

          Are we talking about roaming profiles?
          Also, it sounds like we're letting everybody have access to all the profiles... do you think that's a good idea???!!!
          Regards,
          Jeremy

          Network Consultant/Engineer
          Baltimore - Washington area and beyond
          www.gma-cpa.com

          Comment


          • #6
            Re: Profiles folder permissions

            I personally prefer the second method as it reduces the chances of a user gaining access to other user's profiles; however many administrators use the former method.


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment


            • #7
              Re: Profiles folder permissions

              Originally posted by JeremyW View Post
              Are we talking about roaming profiles?
              Also, it sounds like we're letting everybody have access to all the profiles... do you think that's a good idea???!!!
              I always ignore "Share" permissions by making them "Everyone: Full Control" because I limit access with good granularity using NTFS permissions. I personally think that share permissions are utterly useless.


              Tom
              For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

              Anything you say will be misquoted and used against you

              Comment


              • #8
                Re: Profiles folder permissions

                There is no need for list access to the parent folder (i.e. "Profiles") in the above example.

                Profiles are mapped directly so there is no need for directory browsing, hence your valid point on why changes permission based on a UNC.

                topper.
                * Shamelessly mentioning "Don't forget to add reputation!"

                Comment


                • #9
                  Re: Profiles folder permissions

                  Originally posted by Stonelaughter View Post
                  If you have the user's Profil set to "\\server\profile$\<username>, they need "List Folder Contents" on the "Profiles" folder (shared as profile$) so that they can see their profile folder within it.

                  If you share each profile as <username$> then they need no access at all to the folder it's in - they only need share access to their own profile folder.
                  Great stuff thanks

                  Comment


                  • #10
                    Re: Profiles folder permissions

                    Originally posted by topper View Post
                    There is no need for list access to the parent folder (i.e. "Profiles") in the above example.

                    Profiles are mapped directly so there is no need for directory browsing, hence your valid point on why changes permission based on a UNC.

                    topper.
                    Have you tested this? I was given the distinct impression that it is as I stated it...


                    Tom
                    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                    Anything you say will be misquoted and used against you

                    Comment


                    • #11
                      Re: Profiles folder permissions

                      Originally posted by space View Post
                      Great stuff thanks
                      NP mate


                      Tom
                      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                      Anything you say will be misquoted and used against you

                      Comment


                      • #12
                        Re: Profiles folder permissions

                        Aren't the users supposed to be owners of their specific profile's folder?

                        Sorin Solomon


                        In order to succeed, your desire for success should be greater than your fear of failure.
                        -

                        Comment


                        • #13
                          Re: Profiles folder permissions

                          Originally posted by Stonelaughter View Post
                          Administrators (from local machine) : Full Control
                          <user name> : Change (everything except full control ticked)
                          Ah, I was reading too quickly. I was thinking it said everyone instead of user name.

                          Space hasn't said it yet but I guess it's safe to assume we're talking about roaming profiles...
                          Have a read: http://technet2.microsoft.com/Window....mspx?mfr=true
                          Regards,
                          Jeremy

                          Network Consultant/Engineer
                          Baltimore - Washington area and beyond
                          www.gma-cpa.com

                          Comment


                          • #14
                            Re: Profiles folder permissions

                            Originally posted by JeremyW View Post
                            Ah, I was reading too quickly. I was thinking it said everyone instead of user name.

                            Space hasn't said it yet but I guess it's safe to assume we're talking about roaming profiles...
                            Have a read: http://technet2.microsoft.com/Window....mspx?mfr=true
                            Sorry JeremyW...yes we are talking about roaming profiles , and thanks for the link.

                            Comment

                            Working...
                            X