Re: homefolders, profiles and user rights
- From: mtstream <mtstream@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 26 Oct 2006 08:40:02 -0700
"Additionally, since you're going to use roaming profiles, you really ought
to use folder redirection via group policy....at the very least, for My
Documents. You can define this in the same custom GPO you create & link at
the OU you create for all your users/computers."
When using roaming profiles redirection of My Documents has just about
become a requirement. Especially in smaller organizations that aren't real
strict about personal use of the computer.
Home Dirves, however, are pretty much obsolete. If you redirect the My
Documents folder to the network you've essentially created a home directory
without the drive letter. By default Windows will want to save files to the
My Documents folder anyway. So why add the confusion of aonother drive
letter? Just redirect My Documents to your share and skip the drive letter
mapping.
If you need a resource to learn how to implement Lanwench's suggestions get
"Group Policy, Profiles and IntelliMirror" by Jeremy Moskowitz
"Lanwench [MVP - Exchange]" wrote:
Inline -.
In news:ehq3ol$n6n$1@xxxxxxxxxxxxxxxx,
spoofer <the_spoofer@xxxxxxxxxxx> typed:
Hmm so i got some problems with user rights.
I want my users to use a roaming profile and a home folder located on
a fileserver.
Firstly i'm just starting out with win2003. :roll:
I'm not sure what all the little tags/bracketed letters mean, but presuming
you're trying to do some kind of formatting - don't. Plain text is the way
to go.
[U]Plan of action[/U]
- create 2 folders on the server (homes and profiles)
- share these folders
- share permissions for these folders set to: [B]change[/B]
Nope. You need to set these both for EVERYONE=Full Control. Also, it's good
to make them both hidden shares. (\\server\profiles$ , \\server\home$ )
- NTFS permission: [B]nothing changed[/B]
Nothing changed from *what*, though?
The NTFS permissions on the parent folder for your home directories should
be:
Administrators: Full Control
System: Full Control
Authenticated Users: Full Control; this folder only (under advanced
tab)
Creator Owner: Full Control; Subfolders and file only (under advanced
tab)
When you create a new user, and specify \\server\home$\%username% - the
folder should be automatically created and the permissions set
appropriately.
- do the needed changes in the profile tab of the users profile, this
all works.
[U]The testing[/U]
I logon with a user f.e. named IT1.
all goes well, a roaming profile it automaticaly created in profiles
and a homefolder in homes.
[U]The problem[/U]
Now when i look on the server.
First i want to check what IT1 has in his profile folder, so he
doesn't have things that are not allowed.
Such as ?
So i click on IT1 in
profiles. Access Denied. So i get this error however i do have
[B]Full control NTFS permission on the profiles folder[/B]. The only
way i can see the content is by taking ownership, but then IT1 can't
logon anymore because i took the ownership. So that is
[B]problem1[/B].
This is normal.
See http://support.microsoft.com/kb/817009/ ....and
http://support.microsoft.com/default.aspx?scid=KB;EN-US;q268019&;.
Since you're using W2003, you should implement the group policy setting to
automatically add the administrators group to roaming profile folders when
they're created.
http://technet2.microsoft.com/WindowsServer/en/library/9fa19668-626c-463e-9812-fa46e85c787b1033.mspx?mfr=true
I suggest you create a custom GPO - link it at the "parent" OU you create
for your company (with your manually created users and workstations OUs
underneath them).
For the existing profiles, you do need to take ownership (as the
Administrators group!) and then reset the NTFS permissions under them. They
should each be set up so that Administrators + System + username = Full
Control. Make sure the settings get pushed down through each user's profile
folder's subfolders - and that the users aren't logged in at the time.
[B]Problem2[/B] is something with the home folders.
When there are more users IT1, IT2, IT3...there seems to be a security
problem.
The problem is that IT2 can map the network home folder of IT1 and can
read/write stuff in there. This is probably an [B]NTFS
permission[/B], right ?
Yes - and this is addressed above.
I hope someone can help solving my problem.
Additionally, since you're going to use roaming profiles, you really ought
to use folder redirection via group policy....at the very least, for My
Documents. You can define this in the same custom GPO you create & link at
the OU you create for all your users/computers.
Regards
Hope this helps.
- Follow-Ups:
- Re: homefolders, profiles and user rights
- From: Lanwench [MVP - Exchange]
- Re: homefolders, profiles and user rights
- References:
- homefolders, profiles and user rights
- From: spoofer
- Re: homefolders, profiles and user rights
- From: Lanwench [MVP - Exchange]
- homefolders, profiles and user rights
- Prev by Date: Printer driver problem in clustered environment
- Next by Date: Re: Setting up Raid 1
- Previous by thread: Re: homefolders, profiles and user rights
- Next by thread: Re: homefolders, profiles and user rights
- Index(es):
Relevant Pages
|
