none
Administrator cannot access the Roaming Profiles Folder (URGENT)

    Question

  • 1. I have installed Active Directory (server 2003) and ENABLED the default domain policy option "Allow Administrator group to Roaming Profiles"
    2. Created a folder "PROFILES"  in Drive E:, set the FULL CONTROL permission to Everyone & Authenticated Users.
    3. Created a OU in domain as IT and also created a User "luqman" in this OU and set profile path as \\servername\PROFILES\%username%

    When the user LUQMAN login/logout from his PC, profile is created on the server folder PROFILES but administrator can not get access to this folder, if he wants for any reason

    Server is Windows Server 2003 and Client is XP pro SP2.

    I have done the process as serialed above.

    Where is the problem to gain ADMINISTRATOR access to users' profiles ?
    pls help as it is very urgent matter, I have to report today to my boss pls
    Wednesday, June 03, 2009 9:50 AM

Answers

  • Hi,

    First of all, please make sure the policy "Allow Administrator group to Roaming Profiles" was applied to client machines, run "gpupdate /force" or restart the clients and test.

    If the issue persists, run "rsop.msc" on clients to check if "Allow Administrator group to Roaming Profiles" was applied.

    For a small amount of users, you can try to configure the NTFS permission of the profile folder manually as a workaround.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, June 04, 2009 10:28 AM
    Moderator
  • Hello Muhammed,

    The "add Adminsitrator Security Group to Roaming User Profiles" must be configured on the client computer for it to work. "Note: The setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time."

    Another option for you might be to pre create the folder (Some might do this with a logon script) and grant all necessary permissions, then enable the "Do Not check for user Ownership of Roaming Profile folders"
    Isaac Oben MCITP:EA, MCSE
    Thursday, June 04, 2009 3:51 PM

All replies

  • Hello Muhammad,

    What you are seeing is normal. By default only respective users have full control of their profile. Now what you need to do is to take ownership of the profile and ad the Administrator to it. To do this, go to security, advanced, ownertab and take ownership. Then select permission tab, and make sure the allow permission fromparent to propagate is checked, to prevent this from happening again.

    If you are using GPO folder redirection, make sure you uncheck the "Grant the user Exclussive rights..."
    Isaac Oben MCITP:EA, MCSE
    • Proposed as answer by lforbes Thursday, June 04, 2009 5:58 AM
    Wednesday, June 03, 2009 4:28 PM
  • Dear Oben

    then what is the use of GPO option "Allow Administrator Security Group to Roaming User Profiles" within Computer Config -> Admin Templates -> System -> User Profiles

    I have also gone thru WEB and found the same as I told in my above email. Even found in the books written for "Active Directory".
    e.g. a book from SYBEX by JEREMY MOSKOWITZ, Chapter 8: Profiles: Local, Roaming, and Mandatory Page: 340 to 345, 356 ....

    What do you suggest ....

    Thursday, June 04, 2009 7:32 AM
  • Hi,

    First of all, please make sure the policy "Allow Administrator group to Roaming Profiles" was applied to client machines, run "gpupdate /force" or restart the clients and test.

    If the issue persists, run "rsop.msc" on clients to check if "Allow Administrator group to Roaming Profiles" was applied.

    For a small amount of users, you can try to configure the NTFS permission of the profile folder manually as a workaround.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Thursday, June 04, 2009 10:28 AM
    Moderator
  • I agree with Issac , you should pre create the Roaming Profile Folders thus ensuring the inheritence is correct on them. If the user creates them automatically during logon only the user will have access to them.
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    • Proposed as answer by Chris Beams Thursday, June 04, 2009 12:51 PM
    Thursday, June 04, 2009 12:46 PM
  • I presume you have installed the hotfix and setup as in the following link; http://support.microsoft.com/kb/222043
    This posting is provided "AS IS" with no warranties, and confers no rights. Check out my blog at - http://chrisbeams.wordpress.com/
    Thursday, June 04, 2009 12:51 PM
  • Hello Muhammed,

    The "add Adminsitrator Security Group to Roaming User Profiles" must be configured on the client computer for it to work. "Note: The setting must be configured on the client computer, not the server, for it to have any effect, because the client computer sets the file share permissions for the roaming profile at creation time."

    Another option for you might be to pre create the folder (Some might do this with a logon script) and grant all necessary permissions, then enable the "Do Not check for user Ownership of Roaming Profile folders"
    Isaac Oben MCITP:EA, MCSE
    Thursday, June 04, 2009 3:51 PM
  • Just worked out how to fix this without re-creating all the existing profiles:

    1. Log on to a machine as the problem user

    2. Browse to you network share with the users profiles, usually \\***YOURSERVER***\Profiles$\

    3. Right click on the users profile folder, go to the 'Security' tab and add the 'Administrators' group and give them 'Full Control'

    http://www.domsyard.com/node/92
    • Proposed as answer by KeangMojo Saturday, December 03, 2011 1:13 PM
    Tuesday, April 05, 2011 4:36 PM