Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Roaming Profile - Add Administrators rights to profile folder without taking ownership

Answered Roaming Profile - Add Administrators rights to profile folder without taking ownership

  • Wednesday, May 20, 2009 7:36 AM
     
     
    Sign In to Vote
    0
    Hi
    Is there any utility to apply 'Administrators' rights to user's roaming profile folder on Win2K3 server share without taking ownership and without affecting the user's existing permissions. I've already enabled the group policy (Add the Administrators security group to  roaming user profiles) for the same which is applicable only for newly created IDs. Any help will be highly appreciated.
    Brgds
    Shanavas
     

All Replies

  • Friday, May 22, 2009 8:07 AM
     
     Answered
    Sign In to Vote
    2

    Hello Shanavas,

     

    No. There is no such a utility to apply "Administrators" rights to user's roaming profile shared folder without taking ownership on Windows Server 2003 computer.

     

    Based on the research, when a roaming profile is written for the first time, only the user and System account have the full control permissions on the created folder (\\Server\Profile\Username) that contains the roaming profile on server.

     

    Therefore, by default administrators do not have control of the user’s roaming profile.

     

    To workaround this behavior, you may consider creating the user profile folder with the Administrators full control permissions ahead of time that the user upload their roaming profile into the shared folder on server.

     

    If we want to apply "Administrators" rights to the user’s roaming folder after they have been initialized by the users, we may have to take the ownership of the roaming folder by administrator, and then grant the "Administrators" right on roaming profile folder.

     

    Take ownership of folder

     

    Takeown /f <path to shared folder> /a

     

    Grant a folder with Administrator full control permission

     

    icacls <path to shared folder> /grant "domainname\Administrators:(F)"

     

    For more information, please refer to:

     

    To work around this behavior, create the user profile folder ahead of time with the Roaming Profile Folders Do Not Allow Administrative Access

    http://support.microsoft.com/kb/222043

     

    Hope it helps.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Proposed As Answer by David Shen Friday, May 22, 2009 8:10 AM
    • Marked As Answer by David Shen Friday, May 22, 2009 2:28 PM
    •  
     
  • Friday, May 22, 2009 7:36 PM
     
     
    Sign In to Vote
    0

    Hi David,

    Thanks a lot for the reply.
    I've noticed that, taking ownership of the profile folder removes the user permission on the folder. So I had to re-apply the user permission. But by doing this most often the user gets a profile error while logging in.  I've been doing this from the explorer. Does it mean that by using 'Takeown' and 'icacls' commands, we shouldn't face this issue?
    Also is it OK to enable the group policy (Add the Administrators security group to  roaming user profiles) in windows 2003 environment?

    Thanks & Regards
    Shanavas

     
  • Tuesday, April 05, 2011 4:27 PM
     
     
    Sign In to Vote
    1

    I actually worked out a way to fix this today without taking ownership of the folder. I too forgot to change the GPO BEFORE creating profiles. Anyway, heres how you can do it without breaking your profiles.

    1. Log on to a machine as the problem user/s

    2. Browse to you network share with the users folders, usuall \\***YOURSERVER***\Profiles$\

    3. Right click on your users profile folder, go to the 'Security' tab and add the 'Administrators' group and give them 'Full Control'

    4. Job done!

    You MAY have to make standard users an Administrator temporarily to browse to the profile share but you can set it back after.

     
  • Friday, October 21, 2011 12:47 AM
     
     
    Sign In to Vote
    2

    Taking the above ideas and combining them I placed the following into our users logon script to run once.

    icacls \\servername\profiles$\%username% /grant administrators:(F) /T

    As the user has full access to their own profile they can grant permission by using the above command. In this case the administrators group is given Full (F) Access and /T for subdirectories and files.

     

     
  • Tuesday, December 06, 2011 5:11 PM
     
     Proposed Answer
    Sign In to Vote
    1

    Braw1971! Thank you, Thank you!

    I added the line to our network logon script and it worked like a charm! We are fully 2008R2, so this is what the syntax looks like:

    IF INGROUP ("admin rights add group")  
        run ("icacls \\galfs01\profiles\%username%.V2 /grant ad\administrator:(F) /T")

    EndIF

    Thank you again

    • Proposed As Answer by Tallenbiz Tuesday, December 06, 2011 5:12 PM
    •  
     
  • Thursday, February 21, 2013 3:10 PM
     
     
    Sign In to Vote
    0

    Hi David,

    Here i am trying to take the data backup of User Folder i.e Roaming Profile, I have logged in as Administrator.

    If i take ownership of profile i am able to open or copy the folders but there will be problem with logging of users in workstation (files doesn't get copy to user folder and shows profile error while logging in) and i am very much tensed that roaming profile stopped working.

    I wanted to take backup of Users Data.since it is coping to Server. if not possible please tell me the reason.


    Please help me to solve the issue.