Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Profile permissions

2 views
Skip to first unread message

f825_633

unread,
Dec 19, 2009, 6:05:46 AM12/19/09
to
We've had finger trouble; Our administrator left the company
a short while ago and someone has since been on the server
and altered the permissions on the profile directories such
that every user now logging off gets the 'ACCESS DENIED'
message upon log off. GRrrr..

The question is , what should they be put back to?

The profile directory is S:\RProfile this is shared as
RProfile under the security tab;
administrators full control, authenticated users read,
backup operators full control, creator owner nothing, system
full control

in the advanced tab;
allow administrators full control, not inherited, this
folder only.
allow creator owner full control, not inherited, subfolders
and files only.
allow system full control, not inherited, this folder only.
allow administrators full control, not inherited, this
folder, subfolder and files only.
allow authenticated users full control, not inherited, this
folder, subfolder and files only.
allow backup operators full control, not inherited, this
folder, subfolder and files only.

Under the share permissions; Authenticated users read,
creator owner full control, everyone read


Ke...@_yahoo.com

unread,
Dec 19, 2009, 6:17:19 AM12/19/09
to
Do Domain users have access rights?


Meinolf Weber [MVP-DS]

unread,
Dec 19, 2009, 6:26:51 AM12/19/09
to
Hello Kenny@_Yahoo.com,

Creator owner, if configured correct, will grant domain users the permissions
when the account is create in AD with the correct folder path in the user
account properties.

So there is no need to add domain users in the security permissions.

To f825_633,
Create a new share for testing the following permissions:

Share permissions, everyone, Full control.

Folder permissions:
Administrators, FC
System, FC
Creator owner, special
Backup operators(if really needed), FC

Advanced permissions:
Administrators, FC, this folder, subfolders and files
System, FC, this folder, subfolders and files
Creator owner, FC, subfolders and files
Backup operators(if really needed), FC, this folder, subfolders and files


Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

f825_633

unread,
Dec 19, 2009, 6:52:45 AM12/19/09
to
Meinolf Weber [MVP-DS] wrote:

>
> To f825_633,
> Create a new share for testing the following permissions:
>
> Share permissions, everyone, Full control.
>

Doesn't this negate all other permissions ?

Meinolf Weber [MVP-DS]

unread,
Dec 19, 2009, 7:08:41 AM12/19/09
to
Hello f825_633,

As said before create a test share and see what's going on. Of course settings
permissions on higher level will be inherit from deeper level fodlers if
inheritance is enabled.

In your situation i would start with the share permisssions only and set
them to everyone FC, because Authenticated users read, creator owner full
control, everyone read will win, doesn;t matter whats configured as NTFS
permissions.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

f825_633

unread,
Dec 19, 2009, 7:59:42 AM12/19/09
to
OK, Have done that and I have two machines behind me logged
in as non administrative users whom can both see the new
share, create a folder and save a file, they can as expected
see each others folders and save files in each others
folders and delete each others files.

Ace Fekay [MCT]

unread,
Dec 19, 2009, 10:09:23 AM12/19/09
to
"f825_633" <f825_633}NOSPAM{@ntlworld.com> wrote in message
news:274Xm.44503$ox2....@newsfe05.ams2...

There are a couple of ways to do this. If this is for Roaming Profiles
(which I suggest to get away from and use Folder Redirection), you can set
it up as follows, which only allows the user and the domain admin FC into
the folder, no one else.

Keep in ind, the user MUST have Full Control on both the Share and the
Security (NTFS) permissions. Otherwise, Roaming Profiles will not work. This
is also required for Folder Redirection.

Roaming Profiles Folder Permissions:

Method 1:
Each individual folder is shared out with a hidden share name specifically
for each user, and the Profiles path is set to this folder in the user's AD
account properties.

1. Create a root folder called Profiles. Share it out as Profiles$, and set
the Share permissions to the following so only the domain admin can see the
parent share.:
If it exists, Remove the Everyone Group
Domain Admins=FC
System=FC

2. Create child folders, one for each user. The Share permissions for the
user must be set to Full Control, or it won't work. For example, for a user
named Bill, create a folder called "Bill", then share it out as Bill$, and
set the share permissions to:
If it exists, Remove the Everyone Group
If it exists, Remove Domain Users group
Domain Admins=FC
System=FC
Bill=FC

3. Set the Profile path in the user's account properties to
\\servername\%username%$


Method 2:
The parent folder is shared out with a hidden share name, however the users'
folders are not. But you still have to set the permissions correctly for
each individual user so only that user has Full Control access to their
folder, and no one else.

1. Create a root folder called Profiles. Share it out as Profiles$, and set
the Share permissions to the following so only the domain admin can see the
parent share.:
Domain Admins=FC
System=FC
Authenticated Users = FC
If it exists, Remove the Everyone Group

2. Create child folders, one for each user. The Share permissions for the
user must be set to Full Control, or it won't work. In this scenario, you
set the user to Full Control, and remove anything referencing other users
(other than the domain admin). Instead of the above method where the system
accesses the folder directly with a hidden share, this method accesses the
folder through the parent share to the user's subfolder. For example, for a
user named Bill, create a folder called "Bill", do not share it, but set the
share permissions to:
If it exists, Remove Everyone
If it exists, Remove Domain Users
Domain Admins=FC
System=FC
Bill=FC.

3. Set the Profile path in the user's account properties to
\\servername\profiles$\%username%


If you want to go to Folder Redirection, which works nicely and actually
more efficient, since the GPO has the option to set 'Offline Files' (which
caches it locally and minimizes LAN and WAN traffic), please read my blog on
it in the following link:

Folder Redirection
http://msmvps.com/blogs/acefekay/archive/2009/09/08/folder-redirection.aspx


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.


.

f825_633

unread,
Dec 19, 2009, 1:29:18 PM12/19/09
to
We've had finger trouble; Our administrator left the company
a short while ago and someone has since been on the server
and altered the permissions on the profile directories such
that every user now logging off gets the 'ACCESS DENIED'
message upon log off. GRrrr..

The question is , what should they be put back to?

Ace Fekay [MCT] wrote:

I think this is the method that was employed, but I've
discovered this afternoon that there is another server on
the system at the other end of the site and it seems that
the profiles are somehow using DFS

the two servers are called alpha and beta (how original :) )

the domain is called lightning

in active directory in the profile section for each user
there is an entry that says \\lightning\profile$\$username%

if I browse to \\alpha\profile$ or \\beta\profile$ I can see
what looks like a duplicate set of folders one for each
user, I checked the owner permission and it lists -
administrator, file folder, 19/12/2009 16:43,
LIGHTNING\Administrator

the format with variances for date are the same for every
user, both \\alpha\profile$ & \\beta\profile$ look identical
at this point.

looking at \\lightning\profile$ which I assume is the
distributed share name? this looks the same with regard to
the owner of each directory, but if I browse too my own
directory 'mike' in my case from the machine I'm logged
into I see all my sub directory's and files etc, but I am
unable to create a folder or open a file, seems I don't have
permission to write to this directory...(The user mike is
not an administrator) however....
if I enter via \\alpha\profile$\mike or \\beta\profile$\mike
I can create a folder, edit/save a file what ever, I think
I've worked out there must be different permissions set on
the entry point via \\lightning\profile$\mike than there is
via either of the other routes. ? Possible? or am I missing
the point.

Ace Fekay [MCT]

unread,
Dec 19, 2009, 7:51:27 PM12/19/09
to
"f825_633" <f825_633}NOSPAM{@ntlworld.com> wrote in message
news:5Y8Xm.46066$ox2....@newsfe05.ams2...

Being setup as Method 2, as you've indicated, it appears that someone went
to the parent folder and altered the permissions and set it to propogate to
all child folders. So the way I see it at this point, to fix it, you have to
go to each individual folder and reset them. If you reset them based on my
suggestions in Method 2, you should be ok. Find out who changed it and ask
why. If you don't know who it is, I can recommend to setup auditing on that
folder parent.

Ace


Phillip Windell

unread,
Dec 21, 2009, 10:04:24 AM12/21/09
to
It is hard to follow where you guys are going with this,...but are you aware
that you can reset the NTFS permissions on both the filesystem and the
registry using the "Security Configuration and Analysis" MMC?

1. Open a new blank MMC
2. Add the "Security Configuration and Analysis" to the MMC
3. Right-Click on the root and choose "Open Database"
4. Just make up a new name,...like "Temp"
5. Import the Template "setup security.inf" which should be a template for
normal original install or maybe "securews.inf" which should be a
Workstation template.
6. Right-Click on the root again and choose "Configure Computer now...."

I have fixed "profile issues" many times with this.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


Ace Fekay [MCT]

unread,
Dec 21, 2009, 7:44:37 PM12/21/09
to
"Phillip Windell" <philw...@hotmail.com> wrote in message
news:Ob6KW8kg...@TK2MSFTNGP04.phx.gbl...


Good point about the Sec & Analysis template to fix it. :-)

Ace


0 new messages