Announcement

Collapse
No announcement yet.

Windows 2003 Profile Permissions help needed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2003 Profile Permissions help needed

    Hi,

    I have a problem in the management of my domain if you could help in making a script.

    I have a folder named PROFILES and new profile folders for users are automatically created when we create a new user in the domain.

    I added the HELPDESK group to PROFILES parent folder and confugured the permissions to be inherited by all the profiles created in this PROFILES folder. The problem is that these permissions for helpdesk are not being inherited by the new profile folders but the administrators group is being inherited by all the new profiles which are automatically created for new users.

    So if we have any problems the members of HELPDESK group can't help these new users and they need to contact Domain Admins to solve the problems and the customers also get annoyed as the Domain admins are required to be contacted for solving the problems with profiles.

    I donot have this problem on any other permission set. Everyting else is working absolutely fine except his folder PROFILES. Due to certain security issues I only want to give the permission separately to these HELPDESK users without adding them to administrators group.

    NOW I want to make a script which runs with my admin credentials every night and should check the groups on the security tab for every profile folder in the PROFILES (parent folder) and if it doesn't find the group it should add it with full Control rights on the folder.

    I will be grateful for your help.

    Cisman

  • #2
    Re: Windows 2003 Profile Permissions help needed

    Hello cisman,

    Thank you for choosing this forum as a place to learn and help others. The issue that you are encountering right now is either Share or NTFS permissions or both. I suggest you to review the permissions for "Profiles" folder carefully. Pay close attention to the tartget where HelpDesk permissions applied (it can be ...this folder only, this folder and sub folder and files....).

    Let us know how it goes,

    Regards,

    P.S A reference for you at windowsitlibrary
    Teamwork

    Comment


    • #3
      Re: Windows 2003 Profile Permissions help needed

      Hi Azmantek,

      Thank you for the information provided. I understand the importance and delicacy involved in assigning the permissions to Folders and files in NTFS. I have been working with these things for around 4 years now.

      The problem is as:

      When the new Home Drive or Profile is created for the user user becomes the SOLE owner of them and all rest are implicitly denied access. Yes we can add Administrators with the help of group policy to the permission set etc.

      As my HELPDESK group is not a standard part of any of them and the business requirement is that this group should have access to the PROFILES for all users but SHOULD NOT be a part of Administrators group. This requirement is making me go crazy as already defined in my previous post that they DO NOT get the permission and as they are not the Administrators group members they can't even take the ownership. (In any case I am not in the favour of taking the ownerships as it some times corruptsthe profiles.)

      I tried using
      http://www.microsoft.com/downloads/d...DisplayLang=en and

      and Xcacls.exe cacls.exe etc but have yet not been able to succedd in adding the permissions to the newly created profiles.

      This is the reason I am asking for help in making this script which should run every night and add the permissions to the folders where it does not have it.

      Regards,
      Cisman

      Comment


      • #4
        Re: Windows 2003 Profile Permissions help needed

        Hello cisman,

        As you create the user, create profile dirs as well. With proper permission configuration, it should be fine. Don't put \\srv\%username%\ variable in profile option, put the username instead, and make appropriate folder.

        This should be the easiest method to accommodate your need.

        I run .xls to create accts and create profile dirs next to each dsadd command.

        Let us know how it goes bro.

        Regards,

        Ref: AddadmingrouptoRUP, and this (similar)
        Teamwork

        Comment

        Working...
        X