Clicky

Hello everyone.

I am currently testing the use of roaming profiles in our company and I am having some problems with the permissions which allows the users to see another uses profile.

My scenario:

Created a "PROFILES" folder on the root of our storage device and shared as "PROFILES$."
Created 3 test accounts in AD (server 2003) in their own "TEST" OU.
Created a global security group called "Roaming Profiles" which the 3 users are members as well as domain admins group.
PROFILES$ share permissions are set to 'everyone' Change & Read
PROFILES$ NTFS 'everyone' read&execute, list folder contents, read.  The 'Roaming Profiles' group has Full Control.  Both apply to This folder, subfolders and files.
Enabled the GPO "Add the Administrators security group to roaming user profiles" under COMPUTER-POLICIES-ADMINISTRATIVE TEMPLATES-SYSTEM-USER PROFILES.  Assigned and enabled on the "TEST" OU.
Logged on/off as each user to create their roaming user profile folder.
When I browse \\server\PROFILES$\ from any of the logged on test accounts I can browse any of the other 2 available test accounts.
The system created test user profile folder for each user has the following security permissions:
test user - full control
server\administrators - full control
system - full control
The NTFS persmissions show the same three accounts and apply to This folder, subfolders and files.

NTFS permissions always throw me for a loop, but I would figure that server would be smart enough to lock down the profile folders unless I configured PROFILES$ share incorrectly and inheritence is messing everything up.

Thanks for the help.

asked 08/04/2011 11:53

itbamiami's gravatar image

itbamiami ♦♦


9 Answers:
thanks dariusq, I followed the steps from oregontechsupport which seems great and straight to the point yet I have no luck.

The users can see the other users folders.  What confuses me is that the users folders have the following NTFS permissions:

user account: FULL
server\administrators: FULL
SYSTEM: FULL
All have apply to: this folder, subfolders and files

It's not inheriting any permission and I have not checked the replace permission entires on all child objects...

the owner is server\administrator

and if i check effective permissions with any other AD account all effective  permissions are checked on.

NOTE that these are the default permissions that the server assigns the folders when they are created.
I am at a loss.
link
itbamiami's gravatar image

itbamiami

So, you should be able to go through the process of creating primary folder then when you create profiles the permissions are created automatically.
link
dariusg's gravatar image

dariusg

The owner should be the "CREATOR OWNER", like \\server\share\%username%, where %username% becomes the owner.

Are you sure you unticked the "Allow inheritable permissions to propagate to this object" on the Profile folder?

Here is another good link:
http://blogs.technet.com/b/askds/archive/2008/06/30/automatic-creation-of-user-folders-for-home-roaming-profile-and-redirected-folders.aspx
link
snusgubben's gravatar image

snusgubben

@snusqubben, havent checked your advice yet but I did find out the following.

I removed the GPO that I created which is listed on my question and the users were not able to see the other users folders.  Neither can the Administrator or Domain Admins account.  

This is from the description of the GPO:

Note: In the default case, administrators have no file access to the user's profile, but they may still take ownership of this folder to grant themselves file permissions.

So for the Administrator on the server to look at the files I had to take ownership of it.

This makes no sense for two reasons:
1 - why would MS not automatically give the administrator accounts access to these folders?
&
2 - these accounts or members of the Domain Users account, why would enabling the GPO allow domain user accounts to see other folders if the GPO simply adds Administrator permissions?

so for now, disabling that GPO fixes my headaches.
link
itbamiami's gravatar image

itbamiami

Administrators do not have Ownership rights over a roaming profile or redirections this is a common practice
link
dariusg's gravatar image

dariusg

dariusq, thanks for clarifying, YET why if I enable the GPO "Add the Administrators security group to roaming user profiles" why does it give users the ability of seeing other user folders.

My other thought now is that they user local admins of the machines, this is needed because of a software requirement.  but that is local admin, not a domain admin.  I am out of the office but I'll try changing their local rights with the gpo enabled and see what happens.

thanks everyone.
link
itbamiami's gravatar image

itbamiami

Well if local admin rights they should not see the other user's folders.

Some where there is a permission issue
link
dariusg's gravatar image

dariusg

Sounds like the server\admins is causing the problems.  If the user is part of the local admin group then they will have access.

Here is a link that should give you step by step instructions.  I believe I usually use everyone=full control on the share for the folder redirections and profiles.  My domain users are not local admins either.

By default the profiles folder should be restricted to only the user.  You did go into ADUC and set the roaming profiles on the account tab to something similar right?  \\server\profiles$\%username%

Kevin
link
kshays's gravatar image

kshays

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×8
×2
×2
×30
×5

Asked: 08/04/2011 11:53

Seen: 1146 times

Last updated: 10/20/2011 02:00