Wednesday, May 20, 2009 7:36 AMHi
Is there any utility to apply 'Administrators' rights to user's roaming profile folder on Win2K3 server share without taking ownership and without affecting the user's existing permissions. I've already enabled the group policy (Add the Administrators security group to roaming user profiles) for the same which is applicable only for newly created IDs. Any help will be highly appreciated.
Friday, May 22, 2009 8:07 AM
No. There is no such a utility to apply "Administrators" rights to user's roaming profile shared folder without taking ownership on Windows Server 2003 computer.
Based on the research, when a roaming profile is written for the first time, only the user and System account have the full control permissions on the created folder (\\Server\Profile\Username) that contains the roaming profile on server.
Therefore, by default administrators do not have control of the user’s roaming profile.
To workaround this behavior, you may consider creating the user profile folder with the Administrators full control permissions ahead of time that the user upload their roaming profile into the shared folder on server.
If we want to apply "Administrators" rights to the user’s roaming folder after they have been initialized by the users, we may have to take the ownership of the roaming folder by administrator, and then grant the "Administrators" right on roaming profile folder.
Take ownership of folder
Takeown /f <path to shared folder> /a
Grant a folder with Administrator full control permission
icacls <path to shared folder> /grant "domainname\Administrators:(F)"
For more information, please refer to:
To work around this behavior, create the user profile folder ahead of time with the Roaming Profile Folders Do Not Allow Administrative Access
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights.
Friday, May 22, 2009 7:36 PM
Thanks a lot for the reply.
I've noticed that, taking ownership of the profile folder removes the user permission on the folder. So I had to re-apply the user permission. But by doing this most often the user gets a profile error while logging in. I've been doing this from the explorer. Does it mean that by using 'Takeown' and 'icacls' commands, we shouldn't face this issue?
Also is it OK to enable the group policy (Add the Administrators security group to roaming user profiles) in windows 2003 environment?
Thanks & Regards
Tuesday, April 05, 2011 4:27 PM
I actually worked out a way to fix this today without taking ownership of the folder. I too forgot to change the GPO BEFORE creating profiles. Anyway, heres how you can do it without breaking your profiles.
1. Log on to a machine as the problem user/s
2. Browse to you network share with the users folders, usuall \\***YOURSERVER***\Profiles$\
3. Right click on your users profile folder, go to the 'Security' tab and add the 'Administrators' group and give them 'Full Control'
4. Job done!
You MAY have to make standard users an Administrator temporarily to browse to the profile share but you can set it back after.
Friday, October 21, 2011 12:47 AM
Taking the above ideas and combining them I placed the following into our users logon script to run once.
icacls \\servername\profiles$\%username% /grant administrators:(F) /T
As the user has full access to their own profile they can grant permission by using the above command. In this case the administrators group is given Full (F) Access and /T for subdirectories and files.
Tuesday, December 06, 2011 5:11 PM
Braw1971! Thank you, Thank you!
I added the line to our network logon script and it worked like a charm! We are fully 2008R2, so this is what the syntax looks like:
IF INGROUP ("admin rights add group")
run ("icacls \\galfs01\profiles\%username%.V2 /grant ad\administrator:(F) /T")
Thank you again
- Proposed As Answer by Tallenbiz Tuesday, December 06, 2011 5:12 PM
Thursday, February 21, 2013 3:10 PM
Here i am trying to take the data backup of User Folder i.e Roaming Profile, I have logged in as Administrator.
If i take ownership of profile i am able to open or copy the folders but there will be problem with logging of users in workstation (files doesn't get copy to user folder and shows profile error while logging in) and i am very much tensed that roaming profile stopped working.
I wanted to take backup of Users Data.since it is coping to Server. if not possible please tell me the reason.
Please help me to solve the issue.