Re: Help with Owner of a romaing profile folder
- From: "North Coast Sea Foods" <jleonard@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Aug 2007 15:40:28 -0400
Everyone - thanks for the help.
I have solved my problem.
"North Coast Sea Foods" <jleonard@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:e3RVbAY6HHA.2380@xxxxxxxxxxxxxxxxxxxxxxx
Lanwench
I appreciate your response.
I have a logon BAT that maps a shared folder - that is the folder I am
trying to control.
This folder was setup with Domain Admin ownership, seems when I take the
users out of the Admin group, they loose their roaming profile?
I do not know how the maped drive/folder (with Domain Admin Owner) is
changing things, but it is?? I was asking if I should set up the users in
their own group and give them Full Permissions. Would this eliminate the
roaming profile problem?
Again, I do not see how the roaming profile is even entering into the
problem>
thx
"Lanwench [MVP - Exchange]"
<lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:eLjY1go5HHA.5184@xxxxxxxxxxxxxxxxxxxxxxx
John D. Leonard -- Sage <sage.grp@xxxxxxxxxxx> wrote:
Sorry meant to say Profiles not Home
I'm a bit confused. You don't usually map a drive to your profiles share,
and users shouldn't be "working" in it at all. You need to use folder
redirection, for My Documents at the very least - you can use the home
directories for that. You can also redirect Application Data and Desktop
(I'd avoid redirecting the start menu, for performance reasons and so
forth). The profile folders should be in a hidden share, and
Administrators + the System account + %username% would need full control.
Users shouldn't be accessing the profile folders directly at all.
I'm posting my boilerplate on roaming profiles below. Hope this helps.
1. Set up a share on the server. For example - d:\profiles, shared as
profiles$ to make it hidden from browsing. Make sure this share is not
set to allow offline files/caching!
2. Make sure the share permissions on profiles$ indicate everyone=full
control. Set the NTFS security to administrators, system, and users=full
control.
3. In the users' ADUC properties, specify \\server\profiles$\%username%
in
the profiles field
4. Have each user log into the domain once from their usual workstation
(where their existing profile lives) and log out. The profile is now
roaming.
5. If you want the administrators group to automatically have permissions
to the profiles folders, you'll need to make the appropriate change in
group policy. Look in computer configuration/administrative
templates/system/user profiles - there's an option to add administrators
group to the roaming profiles permissions.
Notes:
* Make sure users understand that they should never log into multiple
computers at the same time when they have roaming profiles (unless you
make
the profiles mandatory by renaming ntuser.dat to ntuser.man so they can't
change them). Explain that the
last one out
wins, when it comes to uploading the final, changed copy of the profile.
* Keep your profiles TINY. Redirect My Documents at the very least;
usually best done to the user's home directory on the server - either via
group policy (folder redirection) or manually (far less advisable). If
you
aren't going to also redirect the desktop using policies, tell users that
they are not to store any files on the desktop or you will beat them with
a
stick. Big profile=slow login/logout, and possible profile corruption.
* Note that user profiles are not compatible between different OS
versions,
even between W2k/XP. Keep all your computers. Keep your workstations as
identical as possible - meaning, OS version is the same, SP level is the
same, app load is (as much as possible) the same.
* Do not let people store any data locally - all data belongs on the
server.
* The User Profile Hive Cleanup Utility should be running on all your
computers. You can download it here:
http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en
John,
Its hard to be sure exactly what you mean.
The Profiles folder (say, \profiles$) should allow users full
control. This allows the profile creation process, running in the
user context, to create a profile and then set the correct
permissions on it, which are exclusive control of the profile. This
way, no-one else can get into another persons profile.
An administrator (only) can take ownership of an individual profile,
but this breaks the profile.
So if you have those permissions you don't need to do anything, and
you might want to explain more what you are trying to achieve,
Hope that helps,
Anthony,
http://www.airdesk.com
"John D. Leonard -- Sage" <sage.grp@xxxxxxxxxxx> wrote in message
news:OavU8fl5HHA.2380@xxxxxxxxxxxxxxxxxxxxxxx
I have serveral users, with roaming profiles, that use the same
folder as Domain Admininstartors.
Now I want to take the administrator privledge away from them and
still let
them use the same folder.
How do I set all users as "Owners" of the folder?
Would I set up another Group (non-administrator group) and add the
users to
that?
thx
--
John D. Leonard -- Sage
.
- Follow-Ups:
- Re: Help with Owner of a romaing profile folder
- From: Lanwench [MVP - Exchange]
- Re: Help with Owner of a romaing profile folder
- References:
- Help with Owner of a romaing profile folder
- From: John D. Leonard -- Sage
- Re: Help with Owner of a romaing profile folder
- From: Anthony
- Re: Help with Owner of a romaing profile folder
- From: John D. Leonard -- Sage
- Re: Help with Owner of a romaing profile folder
- From: Lanwench [MVP - Exchange]
- Re: Help with Owner of a romaing profile folder
- From: North Coast Sea Foods
- Help with Owner of a romaing profile folder
- Prev by Date: Security Policy / Auditing / Event Logs - Please Help!
- Next by Date: Re: Print Drivers frequently updating
- Previous by thread: Re: Help with Owner of a romaing profile folder
- Next by thread: Re: Help with Owner of a romaing profile folder
- Index(es):
Relevant Pages
|
