Re: Roaming Profiles (Admins must takeownership to look at)

• Previous message: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• In reply to: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• Next in thread: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• Reply: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 20 Nov 2004 06:29:08 -0800

For the most part I agree with you on this.

Ownership concern:
We'd like to eventually set quotas on the profiles and I'm 99% sure that it
works on ownership.

Other:
Unfortunately, the structure is already in place (not done right to begin
with). So we have to We've found that applying the "Add Administrator"
policy referenced earlier works well but only on newly created accounts. So,
we'll more than likely push that policy to workstations.
But we still need to hit the already existing folders and correct them.

If I were to push inheritance down from the root, that wipe out the existing
users permissions wouldn't it?

-Jim
"Gerry Hickman" wrote:

> Hi Wilder,
>
> > I guess that's the question. How do you set it up right. MS recommends
> > locked down to user and System and adding this policy if your admins need to
> > access the profile w/o having to take ownership.
>
> See below.
>
> > Overall I'd like to see the user have ownership and the admin have access.
> > But setting the NTFS perms at the parent level do not apply to the user
> > folders as far as I can tell.
>
> Maybe I'm misunderstanding, but who cares who has "ownership"? What
> exact difference does it make? The way it's set up on my network (and
> has been ever since NT4) is that users get "modify" permissions, SYSTEM
> gets full control, and Admins get full control. I've personally never
> taken any notice of who owns what.
>
> I have it set to inherit down, so any new user folder automatically gets
> Admins and SYSTEM access. I then merely script the user to have modify
> access too.
>
> I'm guessing the official Microsoft version of profile creation is based
> on the concept of user privacy such that Administrators are locked out
> of the user's settings? If this is the case, it's pretty absurd. Can you
> imagine the grief if the bosses profile is all messed up and you can't
> access it to sort it out? What if you need to edit their HKCU? What if
> the proflie server dies and you need to migrate them all at a moments
> notice? The idea of giving user full control is also pretty silly - what
> if they remove all ACLs from one of their settings folders burried six
> levels deep, how many hours are we supposed to waste trying to sort that
> out?
>
> --
> Gerry Hickman (London UK)
>

• Previous message: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• In reply to: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• Next in thread: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• Reply: Gerry Hickman: "Re: Roaming Profiles (Admins must takeownership to look at)"
• Messages sorted by: [ date ] [ thread ]